Trusted Solaris 2.5 Transition Guide

Sun Microsystems Federal, Inc. A Sun Microsystems, Inc. Business 901 San Antonio Road Palo Alto, CA 94303 U.S.A.

This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun logo, SunSoft, SunDocs, SunExpress, and SunOS, OpenWindows, NFS, Sun Ultra, Ultra, JumpStart, Solaris, Solstice, Solstice AdminSuite, Solstice AdminTools, Solstice Autoclient, Solstice CacheOS, Disksuite, ToolTalk, X11/NeWS, Trusted NeWSprint, IPC, OpenBoot, SHIELD, XView, SunInstall, and Trusted Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc . X/Open® is a registered trademark and "X" device is a trademark of X/Open Company Limited, Netscape is a trademark of Netscape Communications Corporation, and PostScript is a trademark of Adobe Systems, Incorporated.

The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non- exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227- 19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a).

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 1997 Sun Microsystems, Inc., 2550 Garcia Avenue, Mountain View, Californie 94043-1100 Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun.

Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, SunSoft, SunDocs, SunExpress, et Solaris SunOS, OpenWindows, NFS, Sun Ultra, Ultra, JumpStart, Solstice, Solstice AdminSuite, Solstice AdminTools, Solstice Autoclient, Solstice CacheOS, Disksuite, ToolTalk, X11/NeWS, Trusted NeWSprint, IPC, OpenBoot, SHIELD, XView, SunInstall, et Trusted Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats- Unis et dans d’autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. .X/Open® est une marque enregistrées et "X" device est une marque de X/Open Company Limited, Netscape est une marque de Netscape Communications Corporation, et PostScript est une marque de Adobe Systems, Incorporated.

L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une licence non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun.

CETTE PUBLICATION EST FOURNIE "EN L’ETAT" ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N’EST ACCORDEE, Y COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L’APTITUDE DE LA PUBLICATION A REPONDRE A UNE UTILISATION PARTICULIERE, OU LE FAIT QU’ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE GARANTIE NE S’APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU.

Please Recycle Contents

Preface...... xiii 1. Overview ...... 1 Main Differences ...... 2 Differences from Solaris 2.5.1 Release ...... 2 Differences from Trusted Solaris 1.2 Release ...... 3 Trusted Solaris Security Features ...... 4 Transition from Trusted Solaris 1.2 Release ...... 6 2. User and Administrator Transition ...... 9 Installation ...... 10 Login ...... 10 Administration ...... 10 Databases ...... 11 NIS+ Name Service ...... 12 Administrative Graphic User Interfaces ...... 13 Trusted Solstice AdminSuite Administration ...... 13

iii Trusted Local Files Administration ...... 15 Labels ...... 15 Label Conﬁguration ...... 15 Changes from Trusted Solaris 1.x Labels...... 16 Common Desktop Environment ...... 16 Defaults ...... 17 Window and Icon Labeling...... 17 Trusted Screen Stripe ...... 17 Desktop Applications ...... 17 Tooltalk ...... 18 Window Properties ...... 18 Trusted Drag ’n Drop...... 18 Network ...... 19 Host Types...... 19 Multilevel Ports - New ...... 20 Network Interfaces and Routing ...... 20 Network Interface Database ...... 20 Remote Host Databases...... 21 Network Utility Commands ...... 21 Distributed Services...... 22 Access Control Lists ...... 23 File Systems ...... 23 File System Attribute Commands and Files ...... 24 New - File System Object Attributes ...... 24

iv Trusted Solaris Transition Guide—July 1997 New - File Manager Sets Security Attributes ...... 24 Multilabel File Systems ...... 25 Multilevel Directories ...... 26 Devices ...... 26 Auditing ...... 27 Printing ...... 29 Mail ...... 30 User’s Workspace...... 30 Front Panel ...... 30 Trusted Path Menu...... 31 Multiple Workspaces ...... 31 Role Workspaces...... 31 Window and Icon Labeling...... 31 Trusted Screen Stripe ...... 31 Trusted Front Panel Actions ...... 32 Desktop Applications ...... 32 Trusted Drag ‘n Drop...... 33 Interoperation...... 33 Network Protocols ...... 33 Privilege and Authorization Interoperability ...... 34 File System Interoperability ...... 34 Window Interoperability...... 35 Data Interchange ...... 35 Porting Applications ...... 36

Contents v Privilege Debugging ...... 37 New and Replaced Commands ...... 38 New User Commands ...... 38 New System Administration Commands...... 38 Administrative and User Command Summary ...... 39 3. Programmer Transition ...... 43 Highlights ...... 44 Man Pages and Header File Locations ...... 46 Database Locations ...... 47 New Network Database Interfaces – tnrhdb and tnrhtp 47 System Packaging Tools ...... 48 Changes to Programming Interfaces ...... 48 Devices ...... 49 Label Interfaces ...... 49 Label Encodings File Interfaces ...... 51 Label Builder Interfaces ...... 51 Privilege Interfaces ...... 52 Privilege Macros ...... 54 Privilege Debugging ...... 54 Authorization Interfaces ...... 55 Process Attributes and Flags Interfaces ...... 55 File System Attributes and Flags Interfaces ...... 57 Access Control Lists ...... 58 User Database Interfaces – tsolprof and tsoluser . . . . 59

vi Trusted Solaris Transition Guide—July 1997 Execution Proﬁle Database Entries ...... 60 User Database Entries ...... 61 Auditing ...... 61 Trusted X Window System ...... 62 X Protocol Extensions ...... 63 Inter-Process Communication (IPC) ...... 64 System V IPC ...... 64 Endpoint Communications Interfaces ...... 65 Trusted Security Information Exchange Library (TSIX) 67 RPC Interfaces ...... 68 New Multilevel Ports...... 68 Trusted Streams ...... 69 CDE Desktop Applications...... 69 A. Trusted Solaris Programming Interfaces...... 71 System Calls Unique to Trusted Solaris Operating Systems 72 Trusted Streams Functions ...... 74 Solaris 2.5.1 System Calls Enhanced for Security ...... 75 Removed Trusted Solaris 1.x System Calls ...... 80 Library Routines Unique to Trusted Solaris ...... 80 Solaris 2.5.1 Library Routines Enhanced for Security . . . . . 87 Removed Trusted Solaris 1.x Library Routines and Functions 91 B. Privileges and Authorizations Transition...... 95 Location of Privilege and Authorization Information...... 96 Changes to Privileges ...... 96

Contents vii Retained Privileges ...... 97 Removed Privileges...... 98 New Trusted Solaris 2.5 Privileges ...... 99 Changes to Authorizations ...... 100 Replacements for Trusted Solaris 1.x Authorizations . . . . . 101

viii Trusted Solaris Transition Guide—July 1997 Tables

Table 1-1 Differences from Solaris 2.5.1 Release ...... 2 Table 1-2 Trusted Solaris 1.2 Features Not Supported ...... 3 Table 1-3 Trusted Solaris 2.5 Security Features ...... 4 Table 1-4 New Trusted Solaris 2.5 Security Features ...... 5 Table 1-5 Main Changes Between Trusted Solaris 1.2 and Trusted Solaris 2.5 Releases ...... 6 Table 2-1 Trusted Solaris 2.5 Databases ...... 11 Table 2-2 Routing File Change ...... 20 Table 2-3 File System Attributes in Trusted Solaris 2.5...... 24 Table 2-4 File System Command and File Changes ...... 25 Table 2-5 Device Command and File Changes...... 27 Table 2-6 Interoperability Between Audit Trail Formats ...... 28 Table 2-7 Modified from Base Solaris ...... 28 Table 2-8 Changes in Audit Files from BSM and Trusted Solaris 1.x Auditing 29 Table 2-9 Moving Data to a Trusted Solaris 2.5 System ...... 35

ix Table 2-10 Moving Data from a Trusted Solaris 2.5 System to Another System 36 Table 2-11 User and Administrative Trusted Solaris 1.x Commands. . . . 39 Table 2-12 Trusted Solaris 2.5 New User and Administrative Commands 41

Table 3-1 Highlights of Trusted Solaris 2.5 Features...... 44 Table 3-2 Man Page and Header File Locations...... 46 Table 3-3 Trusted Solaris 2.5 Database Directories ...... 47 Table 3-4 Kernel Host Information API...... 48 Table 3-5 New API for Labels and Clearances ...... 50 Table 3-6 Modified Label Commands and API ...... 50 Table 3-7 New API for Labels and Clearances ...... 51 Table 3-8 Label Builder Interfaces ...... 52 Table 3-9 Privilege API Changes ...... 53 Table 3-10 Changes to Privilege Macros ...... 54 Table 3-11 Trusted Solaris 2.5 Authorization API Changes ...... 55 Table 3-12 Security Attributes Available in the Trusted Solaris 2.5 Operating System ...... 56 Table 3-13 Process Command and API Changes...... 56 Table 3-14 Unique to Trusted Solaris 2.5 File System Interfaces ...... 57 Table 3-15 Unique to Trusted Solaris 2.5 File Interfaces ...... 58 Table 3-16 ACL Interface Changes...... 58 Table 3-17 Library Routines to Access Execution Profile and User Information 59 Table 3-18 Auditing Modifications from the Base ...... 62 Table 3-19 Auditing Modifications from Trusted Solaris 1.x ...... 62 Table 3-20 X WIndow System Interfaces Unique to the Trusted Solaris 2.5 release ...... 63

x Trusted Solaris Transition Guide—July 1997 Table 3-21 SVIPC Interfaces Enhanced in the Trusted Solaris 2.5 Releases 65 Table 3-22 Solaris 2.5.1 Socket Interfaces Modified for Security and Multilevel Ports...... 65 Table 3-23 Solaris2.5.1 TLI Interfaces Modified for Security and Multilevel Ports...... 66 Table 3-24 Network Interfaces Unique to Trusted Solaris 2.5 ...... 67 Table A-1 Trusted Solaris-specific System Calls ...... 72 Table A-2 Trusted Streams Interfaces...... 74 Table A-3 Modified Solaris 2.5.1 System Calls ...... 75 Table A-4 System Calls Removed Between Trusted Solaris Releases . . . 80 Table A-5 Trusted Solaris 2.5 Library Routines...... 81 Table A-6 Modified Solaris 2.5.1 Library Routines...... 87 Table A-7 Removed Trusted Solaris 1.x Library Routines...... 91 Table B-1 Privileges Retained Between the Two Releases ...... 97 Table B-2 Privileges Removed Between the Two Releases ...... 98 Table B-3 New Trusted Solaris 2.5 Privileges ...... 99 Table B-4 Replacements for Trusted Solaris 1.x Default TFM_ROLE Authorizations ...... 101 Table B-5 Replacements for Trusted Solaris 1.x Default User Authorizations 102 Table B-6 Trusted Solaris 2.5 Authorizations ...... 102

Tables xi xii Trusted Solaris Transition Guide—July 1997 Preface

This guide presents an overview of the differences between the Trusted Solaris 2.5 operating environment and its base, the Solaris 2.5.1 operating environment, and the changes and enhancements of the Trusted Solaris 2.5 environment over the Trusted Solaris 1.2 environment. See the Trusted Solaris 2.5 document set and man pages for how to use the new Trusted Solaris 2.5 features.

Who Should Use This Book

This book is for users, programmers, and administrators familiar with previous versions of the Trusted Solaris environment, and for users, programmers, and administrators familiar with the Solaris 2.5.1 environment.

Related Materials

The Trusted Solaris 2.5 document set is supplemental to the Solaris 2.5.1 document set. You should obtain a copy of both sets for a complete understanding of the Trusted Solaris 2.5 environment. Books of particular help when addressing transition include:

Trusted Solaris Books • Trusted Solaris User’s Guide: Describes basic features of the Trusted Solaris environment that are common to all users of the system. Includes a glossary.

xiii • Trusted Solaris Administration Overview: Explains basic concepts and terminology commonly used throughout the Trusted Solaris 2.5 environment. • Trusted Solaris Administrator’s Procedures: Explains administrative procedures in the Trusted Solaris 2.5 environment that differ from the Solaris 2.5.1 environment.

Base Solaris Books • Solaris 2.5 Introduction: Tabulates differences between Solaris 1.x versions and later Solaris releases. • Solaris 1.x to 2.x Transition Guide: Details differences in structure and use between Solaris 1.x versions and later Solaris releases.

How This Book is Organized

This guide is divided into a high-level overview, changes that affect users and administrators, and changes that affect programmers. The appendixes summarize privileges, authorizations, and changed programming interfaces.

Chapter 1– Overview gives an overall view of the differences between the Trusted Solaris 2.5 environment and its Solaris 2.5.1 base, and between the Trusted Solaris 2.5 environment and the Trusted Solaris 1.2 version. All users should read this chapter.

Chapter 2– User and Administrator Transition describes how the Trusted Solaris 2.5 environment differs from the Solaris 2.5.1 environment and the Trusted Solaris 1.2 environment from the perspective of a desktop user, a system administrator, and a security administrator. It describes desktop changes, administration utilities changes, and other changes in the Trusted Solaris environment. All users and administrators should read this chapter.

Chapter 3 – Programmer Transition describes how the Trusted Solaris 2.5 environment differs from the Solaris 2.5.1 environment and the Trusted Solaris 1.2 environment from the perspective of a developer. It lists changes in location for man pages, header ﬁles, and databases. It also lists modiﬁed programming interfaces (APIs), commands, and macros. Developers should read this chapter.

xiv Trusted Solaris 2.5 Transition Guide—July 1997 Appendix A – Trusted Solaris Programming Interfaces lists preserved, removed, and changed Trusted Solaris 2.5 programming interfaces (APIs), commands, and macros.

Appendix B – Privileges and Authorizations Transition describes how Trusted Solaris 2.5 privileges and authorizations differ from their Trusted Solaris 1.2 implementation.

Typographic Changes and Symbols

The following table describes the type changes and symbols used in this book.

Table P-1 Typographic Conventions

Typeface or Symbol Meaning Example AaBbCc123 The names of commands, files, Edit your .login file. and directories; on-screen Use ls -a to list all files. computer output system% You have mail.

AaBbCc123 What you type, contrasted with system% su on-screen computer output Password: AaBbCc123 Command-line placeholder or To delete a file, type rm filename. variable name. Replace with a The errno variable is set. real name or value AaBbCc123 Book titles, new words or terms, Read Chapter 6 in User’s Guide. or words to be emphasized These are called class options. You must be root to do this. Code samples are in code font and may display the following: % UNIX C shell prompt machine% $ UNIX Bourne shell, Korn shell, $ and Profile shell prompt # root prompt, all shells #

Preface xv xvi Trusted Solaris 2.5 Transition Guide—July 1997 Overview 1

The Trusted Solaris 2.5 environment is built on • the Solaris 2.5.1 environment (sometimes called “the base”) • the Common Desktop Environment (CDE) 1.0.2, and • the Solstice AdminSuite™ 2.1 databases.

Like the Trusted Solaris 1.2 version, Trusted Solaris 2.5 runs on SPARC hardware. Unlike the Solaris 2.5.1 environment, it does not run on the x86 or PowerPC platforms.

The Trusted Solaris 2.5 environment is an upgrade to the Trusted Solaris 1.2 version, which was built on Solaris 1.1. It has been enhanced to accommodate different commercial and government environments. Also, many Trusted Solaris security features can be customized to accommodate site-speciﬁc requirements for daily operations.

This table lists major topics for the chapter.

Main Differences page 2 Differences from Solaris 2.5.1 Release page 2 Differences from Trusted Solaris 1.2 Release page 3 Trusted Solaris Security Features page 4

1 1

Main Differences

The main difference between the Solaris 2.5.1 environment and Trusted Solaris 2.5 is that the Trusted Solaris environment is more trusted. To achieve trust, it breaks up superuser, it restricts the operation of security- relevant programs, and it adds security features, such as labels, to ﬁles and processes. Since the user’s desktop is part of Trusted Solaris security, CDE is bundled with the product, and is the required desktop for users, administrators, and developers. No other desktop is supported.

There are many differences between the Trusted Solaris 1.2 operating environment and Trusted Solaris 2.5. Among them are the desktop environment, the administration of Trusted Solaris databases using the NIS+ name service, execution proﬁles, label conﬁguration, auditing record format, and reworked authorizations and privileges. Solstice AdminSuite tools are installed as part of the product and provide the administrative interface for the Trusted Solaris network of users and workstations.

Differences from Solaris 2.5.1 Release

The Solaris 2.5.1 features listed in Table 1-1 are not available in the Trusted Solaris 2.5 environment.

Table 1-1 Differences from Solaris 2.5.1 Release

Solaris 2.5.1 Feature Trusted Solaris Information on this Feature NIS (Yellow Pages) NIS+ is the required name service. cache ﬁle system (cachefs) Cachefs™ and AutoClient™ are not supported. UNIX-to-UNIX Copy Program Network protocols TCP and UDP are (UUCP) supported. Federated Naming Service (FNS) Not supported. Accounting Not supported. Quotas Not supported. Volume Management To mount a volume, allocate the device. Requires administrative authorization. OpenLook Window Manager Trusted CDE Window Manager is required (dtwm).

2 Trusted Solaris 2.5 Transition Guide—July 1997 1

Table 1-1 Differences from Solaris 2.5.1 Release

Solaris 2.5.1 Feature Trusted Solaris Information on this Feature remote filesystem mounting at File systems are mounted after installation. installation upgrade installation option This is the first release; allowing installation upgrades is planned for later releases. sys-unconfig Does not reset Trusted Solaris configuration files. Solstice DiskSuite™ Metadisking is not supported.

Differences from Trusted Solaris 1.2 Release

The Trusted Solaris 1.2 features listed in Table 1-2 are not available in Trusted Solaris 2.5 environment.

Table 1-2 Trusted Solaris 1.2 Features Not Supported

Trusted Solaris 1.2 Feature Further Information per ﬁle auditing This is a submitted bug. consistency checking Actions and other features ensure consistency. terminal login This is a submitted bug. Trusted NeWSprint Printing is now based on System V, Release 4 (SVR4) printing.

Overview 3 1

Trusted Solaris Security Features

The security features listed in Table 1-5 are implemented in the Trusted Solaris environment, but not in the Solaris 2.5.1 environment.

Table 1-3 Trusted Solaris 2.5 Security Features

Trusted Solaris 2.5 Feature Further Information Labels and Clearances Labels and clearances label information (including processes) and regulate who can access the information. Based on the label encodings ﬁle. Administrative Roles Roles divide the responsibilities of superuser. Users assume a role; a role cannot log in. Authorizations Authorizations enable a user to perform security-relevant tasks. Device Allocation Devices are accessible to users when authorized by the security administrator. To use a device, it must be explicitly allocated and deallocated. Privileges Privileges enable commands and actions to perform security-relevant tasks. Trusted Networking Trusted Solaris security attributes are applied to all network packets. Trusted Path The trusted path is a secure communication path between a user or process and the system’s trusted software.

4 Trusted Solaris 2.5 Transition Guide—July 1997 1

The security features listed in Table 1-5 are implemented in the Trusted Solaris 2.5 environment, but not in the Solaris 2.5.1 environment nor in the Trusted Solaris 1.2 environment.

Table 1-4 New Trusted Solaris 2.5 Security Features

Trusted Solaris 2.5 Feature Further Information Execution Profiles Profiles describe the commands and actions a user (or role) can execute, any privileges or security restrictions on those actions and commands, and authorizations granted to a user (or role). Profiles package what a user is allowed to do on the system. Label Configuration At installation, labels can be configured. Label Visibility Labels can be hidden (from windows, from icons) on a per workstation and per user basis. Common Desktop Environment CDE is installed from the Trusted Solaris CD- ROM and is enabled by the program. It has been enhanced to handle and enforce Trusted Solaris security features. Multilevel home directories Users’ home directories are created multilevel. Multilevel CDE workspaces CDE workspaces are multilevel. Applications operate at the label of the invoking (workspace) process. Multilevel (Polyinstantiated) Ports A serial port can receive data at more than one label.

Overview 5 1

Transition from Trusted Solaris 1.2 Release

The list in Table 1-5 gives a system-wide view of the main changes between the Trusted Solaris 1.2 and Trusted Solaris 2.5 releases.

Table 1-5 Main Changes Between Trusted Solaris 1.2 and Trusted Solaris 2.5 Releases

Area of System Further Information Adding software Trusted Solaris 2.5 software packages now have security attributes. Administrative utilities See manpage sections (1tsol) and (1mtsol) rather than (1t), (8t) or (8). Distributed databases (users, roles, profiles, remote hosts) are handled through NIS+ tables. Solstice AdminSuite is the graphic user interface to distributed databases. /etc/rc.conf file replaced by /etc/system file. /etc/m6.routes file replaced by /etc/defaultrouter or /etc/tsolgateways file. openwin-menu file replaced by /usr/dt/config/C/sys.dtwmrc CMWXdefaults file replaced by various files in /usr/dt and /usr/openwin/server/tsol Auditing Auditing is enabled by default; audit records have an incompatible format with 1.2 records. Desktop CDE, not OpenWindows. Devices Configurable security policy file, device_policy(4TSOL)

File system, local and mounted File systems now have ﬁlesystem-wide security attributes, additions to the Solaris 2.5.1 ﬁle system attributes. Installation Installation is similar to installing Solaris 2.x. The installation GUI is Motif-based. CDE is installed from the Trusted Solaris CD- ROM.

6 Trusted Solaris 2.5 Transition Guide—July 1997 1

Table 1-5 Main Changes Between Trusted Solaris 1.2 and Trusted Solaris 2.5 Releases

Area of System Further Information Network installation requires the install and boot server to be the same workstation. Auditing is enabled during installation. Solstice AdminSuite is installed from the Trusted Solaris CD-ROM. Name service Only the NIS+ name service is supported. The NIS compatibility package is not supported. Network interface Network interfaces can be secured using the local database, tnidb(4TSOL). Network remote hosts Remote host databases renamed tnrhdb and tnrhtp, the latter providing templates and wildcard fallback feature. They are NIS+ tables, managed through the Solstice AdminSuite Database Manager. Network routing Static routing is still used; ﬁle to use is named /etc/defaultrouter or /etc/tsolgateways. NIS+ databases Trusted Solaris databases tsoluser, tsolprof, tnrhdb, and tnrhtp are added to the regular NIS+ databases when populating the NIS+ tables. Trusted Solaris conﬁguration information can be added to the bootparams NIS+ database for network installation. Role access Roles are users who cannot log in. Roles have their own workspaces and are assigned their own passwords by the security administrator. Roles do not have reserved UIDs. User workspace The Common Desktop Environment is the required desktop for users and administrators. Openwin programs will run. Programming interfaces X11R4 protocols replaced by X11R5 protocols. Xnews server replaced by Xsun server. Tnet protocols replaced by TSIX protocols. Privileges and authorizations reworked.

Overview 7 1

8 Trusted Solaris 2.5 Transition Guide—July 1997 User and Administrator Transition 2

This chapter describes the Trusted Solaris 2.5 changes that affect users and administrators. Administrators can set up a user’s interface so that labels are not visible, the user can reach only those applications and commands that help get the job done, and the user can work at every label in their accreditation range during one CDE session.

The Trusted Solaris 2.5 environment has been changed and enhanced for users and administrators in the following areas.

Installation page 10 Login page 10 Administration page 10 User’s Workspace page 30 Interoperation page 33 Data Interchange page 35 Porting Applications page 36 Privilege Debugging page 37 New and Replaced Commands page 38

9 2

Installation

Installing the Trusted Solaris 2.5 operating system interactively has the look and feel of installing the Solaris 2.5.1 operating system interactively. However, there is no upgrade option, NIS+ is the only name service choice, and remote file systems cannot be mounted at installation time. Labels are configured during installation (see Label Configuration on page 15), and trusted versions of the Common Desktop Environment (CDE) 1.0.2 and Solstice AdminSuite 2.1 are installed from the Trusted Solaris 2.5 CD-ROM.

Trusted Solaris 2.5 network installation requires that the boot server and the install server be the same workstation. Therefore, every subnet needs its own install/boot server. Network install enables getting Trusted Solaris label conﬁguration settings from the bootparams(4) database on the install/boot server. The bootparams database is a NIS+ table, administered through the Database Manager in Solstice AdminSuite.

The sys-unconfig(1M) command has not been extended to reset Trusted Solaris conﬁguration ﬁles.

The Trusted Solaris 2.5 CDE login screen offers fewer options than its base counterpart. There is no Command Line Login. The Session options are limited to Common Desktop Environment, User’s Last Desktop, and Safe Mode (Failsafe) Session. The Safe Mode session brings up a CDE workspace where none of the user’s ﬁles that usually run at login, such as .login, .profile, or .cshrc, are run. Logins must be enabled before users can log in, and during login, the user is shown messages and label information. Users who are allowed to work at multiple labels have the option of restricting their session to a single label, or to lowering their clearance.

Administration

The Trusted Solaris 2.5 environment is conﬁgured and administered using trusted versions of CDE and Solstice AdminSuite. As in Trusted Solaris 1.x versions, there is a restricted shell, pfsh (proﬁle shell), for command line input

10 Trusted Solaris 2.5 Transition Guide—July 1997 2

and a restricted editor for editing local administrative ﬁles. Following the CDE desktop metaphor, the restricted shell and the restricted editor are invoked through CDE actions, available only in administrative role workspaces.

Databases page 11 NIS+ Name Service page 12 Administrative Graphic User Interfaces page 13 Common Desktop Environment page 16 Network page 19 Distributed Services page 22 Access Control Lists page 23 File Systems page 23 Devices page 26 Auditing page 27 Printing page 29 Mail page 30

Databases

Table 2-1 shows the additions, removals, and new locations of databases used for Trusted Solaris administration.

Table 2-1 Trusted Solaris 2.5 Databases

Trusted Solaris 1.x Name and Location Trusted Solaris 2.5 Equivalent and Location /etc/exports /etc/dfs/dfstab /etc/fstab /etc/vfstab /etc/m6.routes /etc/tsolgateways, /etc/defaultrouter /etc/rc.boot, rc.single, etc. /etc/rcn.d/scripts /etc/rc.conf /etc/system /etc/security/audit_~ /etc/security/audit_~ /etc/security/fstab.adjunct /etc/security/tsol/vfstab_adjunct /etc/security/label_encodings /etc/security/tsol/label_encodings

/etc/security/tcb_static, tcb_dynamic No longer supported.

User and Administrator Transition 11 2

Table 2-1 Trusted Solaris 2.5 Databases

Trusted Solaris 1.x Name and Location Trusted Solaris 2.5 Equivalent and Location /etc/security/TNETCONFDB No longer supported. /etc/security/TNETIDB /etc/security/tsol/tnidb /etc/security/TNETRHDB /etc/security/tsol/tnrhdb

Not in 1.x. Provides host type templates. /etc/security/tsol/tnrhtp /etc/security/authoriz, tfm_role.~ /etc/security/tsol/tsolprof /etc/security/passwd.adjunct /etc/security/tsol/tsoluser /etc/security/user.cmw_labels /etc/security/tsol/tsoluser /etc/security/device_allocate /etc/security/device_allocate /etc/security/device_maps /etc/security/device_maps

Not in 1.x. For device policy. /etc/security/device_policy Not in 1.x. For privilege debugging. /etc/syslog.conf Not in 1.x. For privilege debugging. /var/log/privdebug.log /etc/security/ctab_list No longer supported. /etc/tfm/files /etc/security/tsol/tsoluser

/etc/tfm/nis Replaced by NIS+ tables. /etc/tfm/updaters No longer supported. /usr/openwin/lib (OpenWindows) /usr/dt (CDE) /usr/openwin/lib/CMWXdefaults /usr/openwin/server/tsol/~.atoms /usr/dt/app-defaults/C/Dtwm /usr/dt/app-defaults/C/Dt /usr/dt/app-defaults/C/Sel_Mgr /usr/dt/config/sel_config /usr/openwin/lib/openwin-menu /usr/dt/config/C/sys.dtwmrc

Not in 1.x. New in Solaris 2.x operating system /proc

NIS+ Name Service

The NIS+ name service is the only name service supported by the

12 Trusted Solaris 2.5 Transition Guide—July 1997 2

Trusted Solaris 2.5 operating system. Therefore, a Trusted Solaris 2.5 NIS+ root master cannot administer Trusted Solaris 1.x workstations or Solaris 2.5.1 workstations, although it can communicate with them. The Trusted Solaris NIS+ implementation does not offer NIS (Yellow Pages) compatibility.

Administrative Graphic User Interfaces

A trusted version of Solstice AdminSuite is the graphic user interface (GUI) for administering distributed (and local) Trusted Solaris databases. It shows up as a folder named Solstice_Apps in the Application Manager, a front panel icon in CDE. Trusted administrative interfaces to local databases not administered by Solstice AdminSuite show up as actions in the System_Admin folder in the Application Manager. Only a user in an administrative role with the appropriate authorizations can use the actions in the Solstice_Apps and System_Admin folders. The Trusted Solaris 1.x Trusted Management Facility is no longer supported.

Trusted Solstice AdminSuite Administration

The Solstice_Apps folder holds the NIS+ database managers, such as User Manager, for entering information into NIS+ tables. Trusted Solaris 2.5 adds four databases: tsolprof(4TSOL), tsoluser(4TSOL), tnrhdb(4TSOL), and tnrhtp(4TSOL) to the databases populated by the nispopulate command. It also adds a keyword:value entry to the bootparams database, used during network installation. Online help for the modiﬁed and new databases is available; the reference (glossary) has been updated.

Passwords are changed using a password GUI available from the Trusted Path menu. A password generator can automatically generate possible passwords for users. Setting a password using the nispasswd or the passwd command on the comand line is not supported.

The User Manager has been modiﬁed to incorporate Trusted Solaris security attributes. The User Manager and its database, /etc/security/tsol/tsoluser, replace the Trusted Solaris 1.x /etc/security/user.cmw_labels ﬁle and its /etc/tfm/nis table equivalent.

User and Administrator Transition 13 2

The Proﬁle Manager with its database, /etc/security/tsol/tsolprof, is new to Solstice_Apps and to Trusted Solaris software. It replaces the functionality provided in Trusted Solaris 1.x software by /etc/security ﬁles and its /etc/tfm/nis tables that listed what roles could use what commands.

Two Trusted Solaris databases are added to the Database Manager’s databases, /etc/security/tsol/tnrhdb and /etc/security/tsol/tnrhtp. Together, they replace the Trusted Solaris 1.x /etc/security/TNETRHDB ﬁle. The second ﬁle, tnrhtp, creates templates that describe host types.

The following Solstice AdminSuite managers remain unchanged in Solstice_Apps; they do not detect or add Trusted Solaris security attributes to their entries: • Group Manager • Serial Port Manager • Host Manager

New – Profile Manager The Profile Manager is new to Solstice_Apps and to Trusted Solaris software. It handles the execution profile [tsolprof(4TSOL)] database. See Table 1-4 on page 5 for the definition of execution profile. Trusted Solaris 2.5 software provides execution profiles for normal users and administrative roles. A security administrator can add to and modify the ones provided.

The administrator’s restricted shell, called tsh in the Trusted Solaris 1.x operating system, is called pfsh (proﬁle shell) in the Trusted Solaris 2.5 operating system. It is assigned to a user or role via the User Manager.

The system administrator uses the User Manager invoked from Solstice_Apps to assign execution proﬁles to users and roles.

New – User Manager The User Manager divides a user account into six areas. User account information in the areas Identity and Home is set by the system administrator (admin role). Authorizations are also required, and provided to the admin role. Security information in the Labels, Proﬁles, and Roles areas is set by the security administrator (secadmin role). The required authorizations are provided to the secadmin role.

14 Trusted Solaris 2.5 Transition Guide—July 1997 2

Modiﬁed – Database Manager The Database Manager handles the regular NIS+ databases, such as hosts and bootparams, and the new network databases, tnidb(4TSOL), tnrhdb(4TSOL) and tnrhtp(4TSOL). The templates in tnrhtp simplify network administration by providing generic and per-domain host type descriptions.

Trusted Local Files Administration

The System_Admin folder in the Application Manager holds actions that affect the local workstation but are not handled by Solstice_Apps, such as editing the vfstab(4) and vfstab_adjunct(4TSOL) files. The Edit Encodings action enables the security administrator to edit and check the syntax of the label_encodings(4TSOL) file. Administrative files without a corresponding action, such as the /etc/system file, are edited using the action Admin Editor. The Admin Editor action invokes a trusted editor, configurable by the security administrator to be adminvi(1MTSOL), dtpad(1), or other editors modified to be trustworthy.

Labels

As in the Trusted Solaris 1.x system, it is best to run all workstations with the same label_encodings(4TSOL) ﬁle. Labels are conﬁgurable, and label visibility can be set on a per workstation or per user basis, as discussed in Window and Icon Labeling on page 17.

Label Conﬁguration

The installation program on the Trusted Solaris CD-ROM prompts for the site’s label configuration. The choices are: • to have a single sensitivity label, often called a “system high” configuration, or to have multiple sensitivity labels (also known as “multilevel”) • if multilevel, whether to hide upgraded names, that is, to hide file names whose sensitivity label is higher than the sensitivity label of its directory • to enable information labels (sometimes called advisory labels) • if enabled, whether to float information labels, that is, add the information label of a process to the information label of the object it is affecting

User and Administrator Transition 15 2

• if enabled, whether to reset the information label to admin_low when starting a process (upon a call to exec)

The installation program places the label configuration information in the /etc/system file. In Trusted Solaris 1.x, configuration choices were put in the /etc/rc.conf file.

Changes from Trusted Solaris 1.x Labels

The administrative labels called SYSTEM_HIGH and SYSTEM_LOW in Trusted Solaris 1.x are now called ADMIN_HIGH and ADMIN_LOW. The security administrator can assign them different names.

The “Bound Translation By *” options in the label encodings ﬁle have been removed. Label translations are always bounded by the sensitivity label; they cannot be bounded by clearance.

Common Desktop Environment

The Trusted Common Desktop Environment (CDE) is an enhanced version of CDE 1.0.2. Its window manager, dtwm, is the required desktop window manager for Trusted Solaris 2.5. Trusted Solaris 1.x used OpenWindows 3.0 for the desktop; the OpenLook Window Manager (olwm) is no longer supported.

Trusted CDE supports a multilevel front panel, a trusted path menu, multiple workspaces for users and roles, window and icon labeling, a trusted stripe, trusted front panel applications and other desktop applications, multilevel ToolTalk and window properties, and trusted drag ’n drop. Access to commands, CDE actions, and applications are restricted by execution proﬁles.

See User’s Workspace on page 30 for information on using the multilevel front panel, the trusted path menu, multiple workspaces for users and roles, and trusted front panel applications. Administrative issues for CDE are covered below. Help on Trusted Solaris modiﬁcations of CDE is available in the CDE online help.

16 Trusted Solaris 2.5 Transition Guide—July 1997 2

Defaults

The default setting in /etc/dt/config/sys.dtprofile has been changed so that .login or .profile are sourced for users or roles whose default shell is the proﬁle shell (pfsh). By default, the “Introducing the Desktop” online help does not appear at ﬁrst login.

Window and Icon Labeling

If sensitivity labels and information labels were enabled during label conﬁguration, they do not have to be visible as window and icon labels. The security administrator can hide either or both labels, for windows or icons or both. When all labels are hidden, the trusted screen stripe is iconiﬁed.

Label visibility is set for each user in the User Manager. Labels that are not enabled in the system(4) ﬁle cannot be made visible in the User Manager.

Administrative labels (admin_high and admin_low) can be displayed as the highest and lowest user labels, respectively. Called “label view”, this is set for each workstation in the label_encodings(4TSOL) ﬁle and individually for each user in the User Manager.

Trusted Screen Stripe

In Trusted Solaris 2.5, the trusted screen stripe can be fully visible or iconiﬁed. When a user’s labels are hidden, the screen stripe is iconiﬁed. When labels are visible, the screen stripe is visible.

Desktop Applications

CDE and OpenWindows applications should run with little modification. Possible modifications applications might need would be: multilevel directory for program files, polyinstantiation property in inetd.conf, and root permission during installation.

In CDE, actions can be dropped directly on the Front Panel. The Trusted Solaris 2.5 environment provides two modiﬁcations. First, actions that are not in a user’s proﬁle cannot be added to the Front Panel. Second, only applications in the directory /usr/dt/~ or /etc/dt/~ can be added to the Front Panel. Applications in the ~/.dt/appconfig directories cannot be

User and Administrator Transition 17 2

added to the Front Panel. Actions in the System_Admin and Solstice_Apps folders can be dropped onto the Front Panel by an administrative role; however, they will not work for a normal user.

Tooltalk

Tooltalk is multilevel. A separate Tooltalk session exists for each label and user ID pair. The File Manager, Application Manager, and mail notiﬁcation have been extended in the Trusted Solaris 2.5 environment.

Window Properties

In the Trusted Solaris 2.5 operating system, window system objects (window properties, selections, and tooltalk sessions) are instantiated at more than one sensitivity label (that is, they are multilevel), and access is segregated by their sensitivity label. For example, a property on the root window can exist at two different sensitivity labels as separate and distinct objects. Only windows with the same sensitivity label are available to clients to avoid sensitivity label collisions when using selections to transfer data from window to another window. Polyinstantiation is conﬁgurable by modifying the entries in ﬁles in the directory /usr/openwin/server/tsol.

Trusted Drag ’n Drop

A user can have windows with different sensitivity labels in a workspace. Inter-window data moves between windows with different sensitivity labels must be authorized.

Cut-and-paste movement of data between windows of different sensitivity labels is restricted to authorized users, and a mediation window pops up to conﬁrm upgrades and downgrades of data. Drag ’n drop movement between applications is constrained to the applications having the same sensitivity label and user ID. However, the front panel icons and File Manager handle multilevel data drag ’n drop as follows: • Front panel icons – The individual icons in the front panel act as multilevel drop sites for drag-and-drop movements of data. For example, data dropped onto the trash can icon is delivered to the appropriate trash folder based on the sensitivity label and user ID of the source data.

18 Trusted Solaris 2.5 Transition Guide—July 1997 2

• File Manager – The File Manager allows authorized users to relabel ﬁles via drag’n drop, and to add privileges to executable ﬁles. It also properly handles multilevel directories.

Network

The Trusted Solaris 2.5 networking subsystem consists of a set of extensions to the Solaris 2.5.1 TCP/IP network. The network supports communications with other labeled and unlabeled hosts, multilevel ports, security attributes on the network interface, and centralized network administration using the enhanced Database Manager in Solstice_Apps. Network database formats have changed from Trusted Solaris 1.x formats.

Host Types

Trusted Solaris 2.5 recognizes hosts of the following types on a distributed, heterogenous network: • Unlabeled – Data can be received from and sent to workstations running operating systems that do not recognize labels. • Trusted Solaris 1.x (MaxSix 1.0+ Protocol) – Trusted Solaris 2.5 supports network connectivity with Trusted Solaris 1.x workstations.

The tsol protocol uses the MaxSix 1.0 protocol to enable Trusted Solaris 2.5 applications to communicate with Trusted Solaris 1.x applications without change to the application. • Sun_tsol – The protocol used between Trusted Solaris 2.5 hosts.

Note – In Trusted Solaris 1.x, the default set of supported security attributes is larger. Trusted Solaris 2.5 hosts using the sun_tsol type do not transmit supplementary groups or audit information in the network packet. Both are available through an out-of-band protocol when requested by the TSIG library interfaces.

• CIPSO – The Common Internet Protocol Security Option (CIPSO) speciﬁes security labels that are passed in the internet protocol (IP) options ﬁeld. • TSIX(RE) 1.1. – SATMP – The Security Attribute Token Mapping protocol (SATMP) is used by trusted systems to exchange attribute-token mappings.

User and Administrator Transition 19 2

• TSIX(RE) 1.1. – SAMP – The Security Attribute Modulation protocol (SAMP) passes tokenized security attributes associated with a sending process on every write operation made to the senders’s transport layer protocol. • RIPSO – The Revised Internet Protocol Security Option (RIPSO) is described in the IETF RFC 1108. It speciﬁes a Department of Defense (DoD) IP labeling method to incorporate labels into IP packets.

Multilevel Ports - New

In the Trusted Solaris 2.5 operating system, all network endpoints are either multilevel or single-level ports to support unmodiﬁed applications in a trusted environment. The Trusted Solaris 1.x environment supported only single-level. • Multilevel port – A network endpoint associated with all sensitivity labels. • Single-level port – A network endpoint associated with one sensitivity label.

A multilevel port can receive data with any sensitivity label, while a single-level port can receive only data with the matching label. A network packet carrying a particular label is delivered to a matching single-level port ﬁrst. If no such single-level port exists, it is then delivered to a matching multilevel port. If no such multilevel port exists, the packet is dropped.

Network Interfaces and Routing

The network interface layer accepts packets from the internet layer and places them on the appropriate physical network. Like Trusted Solaris 1.x routing and unlike Solaris 2.5.1 routing, Trusted Solaris 2.5 routing is static.

Table 2-2 Routing File Change

1.x Routing Solaris 2.5.1 Routing 2.5 Routing /etc/m6.routes dynamic routing /etc/defaultrouter /etc/tsolgateways

Network Interface Database

The network interface database, tnidb(4TSOL), is stored in a different location and has a different format from the Trusted Solaris 1.x tnidb. Data must be manually ported.

20 Trusted Solaris 2.5 Transition Guide—July 1997 2

• /etc/security/tsol/tnidb – Network interface database. It is always a local ﬁle, and is administered through the Database Manager, as described in Administrative Graphic User Interfaces on page 13. A tnidb entry describes each network interface in terms of the following: • Host type • Label range for incoming and outgoing data • For incoming unlabeled data, if unspeciﬁed in the remote host database: CMW label, clearance, effective user and group ID, effective privileges

Remote Host Databases

Network database formats have changed and must be ported manually. The remote host databases are administered through the Database Manager, as described in Administrative Graphic User Interfaces on page 13. The Trusted Solaris 2.5 network uses the following files or NIS+ tables: • /etc/security/tsol/tnrhdb – Remote Host Database that maps known hosts to template names. Like other NIS+ files, this database can be a local file or a NIS+ table. It specifies IP address and template (tnrhtp) name. • /etc/security/tsol/tnrhtp – Remote Host Template Database. Like other NIS+ files, this database can be a local file or a NIS+ table. It describes templates for use by tnrhdb. There are six basic templates based on host type: • sun_tsol type for communicating with other Trusted Solaris 2.5 hosts • unlabeled type for communicating with unlabeled workstations, such as Solaris 2.5.1 hosts • tsix type for communicating with workstations whose vendors are using TSIX • msix type for communicating with Trusted Solaris 1.x hosts • cipso type for communicating with hosts sending CIPSO packets • ripso type for communicating with hosts sending RIPSO packets

Each host type can be further characterized by attributes speciﬁc to the host type. For example, the sun_tsol host type has an effective privileges attribute while the unlabeled host type does not.

Network Utility Commands

The Trusted Network uses the following utilities:

User and Administrator Transition 21 2

• tnchkdb(1MTSOL) – Checks database ﬁle syntax. • tnctl(1MTSOL) – Controls single element of trusted network, sets daemon debugging, and loads a single interface, host, or template. • tnd(1MTSOL) – Initializes trusted networking and loads databases, loads all the databases into the Trusted Solaris 2.5 kernel for their use, and manages the kernel database tables. • tninfo(1MTSOL) – Displays information about trusted networking interface, host, template, information, and trusted network statistics.

New snoop Command The snoop(1MTSOL) command displays network packets based on specified options and filters. It can display different levels of detail based on options specified.

In Trusted Solaris 2.5, three types of packets are recognized: unlabeled, tsol, and tsix. A new ﬁltering primitive, sectype, is added to ﬁlter packets based on security type. The syntax is sectype type

where type is unlabeled, tsol, or tsix. For Trusted Solaris (tsol) packets, the security attributes are displayed.

Distributed Services

A distributed service refers to a component of the system that can perform services for clients on different machines (or same machine) as the service provider. Trusted Solaris 2.5 supports most of the UDP, TCP, and TI-RPC services provided in Solaris 2.5.1. These services include the following: • Various Internet services coordinated by inetd, including rlogin, ftp, telnet, rsh, rcp and others. • The NIS+ database is now used instead of the NIS database for distributed network administration. There is now a template ﬁle for describing remote hosts. • Domain Name Service (DNS).

22 Trusted Solaris 2.5 Transition Guide—July 1997 2

Access Control Lists

Access Control Lists (ACLs) are part of the Solaris 2.5.1 operating system. The Trusted Solaris 2.5 operating system supports the same format and interfaces for ACLs that are found in the Solaris 2.5.1 operating system, and extends the support for ACLs to include the tmpfs ﬁle system.

File Systems

The Solaris 2.5.1 ﬁle system architecture has a mechanism, the shadow inode, to store extended attributes such as ACLs. Trusted Solaris 2.5 builds upon this architecture to store its extended security attributes. File systems now have Trusted Solaris 2.5 security attributes.

File systems support attributes for file system objects, as in Trusted Solaris 1.x, and for local file systems and mounted file systems. When a file system object is not given explicit security attribute values, it inherits the local file system attribute values. When the local file system does not have an attribute value, the mount attribute is used. File system security attributes can be set in the /etc/security/tsol/vfstab_adjunct file. Also, the mount(1MTSOL) command has been extended to include file system security attributes.

As in Trusted Solaris 1.x software, file systems can be single-label or multilevel. A single-label file system supports only the standard Solaris 2.5.1 object attributes. The system administrator either sets the Trusted Solaris security attributes in the vfstab_adjunct(4TSOL) file, or mounts the single-label file system using the mount(1MTSOL) command. Otherwise, Trusted Solaris security attributes are absent altogether.

Unlike Trusted Solaris 1.x file systems, Trusted Solaris 2.5 file systems have more security attributes, security attributes are stored filesystem-wide, and there are commands and files to handle filesystem-wide security for local and mounted file systems.

Note – Because Trusted Solaris 2.5 does not recognize Trusted Solaris security attributes on file systems mounted from NFS Version 2 servers, all such servers need security attributes specified in /etc/security/vfstab_adjunct or with the mount(1MTSOL) -S option. Also, specify vers=2 with the mount(1MTSOL) command or in the vfstab(4) file. The entry in /etc/security/tsol/tnrhdb for the mounted server should be unlabeled.

User and Administrator Transition 23 2

The Trusted Solaris 2.5 operating system supports Solaris 2.5.1 ﬁle system security attributes in addition to its own, as shown in Table 2-3.

Table 2-3 File System Attributes in Trusted Solaris 2.5

Solaris 2.5.1 Attributes and Trusted Solaris 2.5 Attributes Access Control Lists CMW label Discretionary Access Control permission bits File system label range User and Group ID Forced and allowed privilege sets Audit preselection attributes Multilevel directory (MLD) preﬁx

File System Attribute Commands and Files

Trusted Solaris 2.5 commands that handle file system security attributes affect all security attributes, including those defined in the Solaris 2.5.1 operating system. Trusted Solaris 2.5 files that handle file system security attributes affect only Trusted Solaris 2.5 security attributes.

Trusted Solaris 2.5 file system attributes can be applied when the file system is mounted through the new /etc/security/tsol/vfstab_adjunct file; the /etc/vfstab file handles Solaris 2.5.1 security attributes (such as ACLs). There are also options to the mount(1MTSOL) command that apply Trusted Solaris file system security attribute values for the duration of the mount operation.

New - File System Object Attributes

File system objects have ﬂags that indicate whether the object uses multilevel directory semantics and whether the object is public.

New - File Manager Sets Security Attributes

An administrator can set a ﬁle’s security attributes in the File Manager.

24 Trusted Solaris 2.5 Transition Guide—July 1997 2

The following file system commands and files are either new or modified for Trusted Solaris 2.5.

Table 2-4 File System Command and File Changes

Operation Interfaces Origin/Change Get and set file security getfattrflag(1TSOL), setfattrflag(1TSOL) New in 2.5 attribute flags for individual files Get and set file system getfsattr(1MTSOL), setfsattr(1MTSOL) New in 2.5 security attributes Get and set file getfpriv(1TSOL), setfpriv(1TSOL) Replace 1.x lspriv privilege sets and chpriv commands Test file privilege sets testfpriv(1TSOL) New in 2.5 Get multilevel directory adornfc(1TSOL), getmldadorn(1TSOL), Modified 1.x adornment mldpwd(1TSOL), mldrealpath(1TSOL) (parameter list change) Mount filesystem /etc/security/tsol/vfstab_adjunct New in 2.5; replaces 1.x [ vfstab_adjunct(4TSOL)] fstab.adjunct file Mount filesystem mount(1MTSOL) Modified Solaris 2.5.1 (more parameters)

Multilabel File Systems

The following file system types support multiple labels: • ufs – Standard Solaris UNIX file system with Trusted Solaris attributes • tnfs – Remote file system protocol for UNIX file system access with Trusted Solaris attributes (based on networked file system (NFS) V3 and supporting V3 over TCP). • tmpfs – In-memory temporary file system • swapfs – Swap file system • lofs – Loopback file system

To allow easy migration of UNIX ﬁle system (UFS) disks between Solaris 2.5.1 and Trusted Solaris 2.5, there are two ways to conﬁgure a Solaris 2.5.1 UFS disk mounted on a Trusted Solaris 2.5 workstation.

User and Administrator Transition 25 2

1. Set up security attribute defaults and store security attributes on the ﬁle system. See the setfsattr(1MTSOL) man page.

2. Set up security attribute defaults for the ﬁle system at mount time. This enables the UFS disk to be reintegrated on a Solaris 2.5.1 workstation later. See the mount(1MTSOL) and the vfstab_adjunct(4TSOL) man pages.

Multilevel Directories

Multilevel directories (MLDs) allow data to be stored at different sensitivity labels within the same directory. Multilevel directories are supported only by ufs with Trusted Solaris 2.5 attributes, tnfs, lofs, and tmpfs ﬁle system types. As in Trusted Solaris 1.x, MLDs appear in the ﬁle system as ordinary directories with a Trusted Solaris 2.5 attribute identifying them as MLDs.

Users’ home directories are created as multilevel directories in the parent directory, such as /export/home or /home. In the Trusted Solaris 1.x operating system, the /tmp directory was created as a multilevel directory . The Window Manager and CDE File Manager are aware of MLDs as described in “Trusted Drag ’n Drop” on page 18.

In Trusted Solaris 1.x, single-level directory (SLD) names were the hexadecimal equivalent of the label names. In Trusted Solaris 2.5, SLD names are sequentially assigned within each MLD as they are created. The ﬁrst SLD created in an MLD is numbered 0, the second is numbered 1, and so forth. The numbers have no relation to the label of the directory, therefore the label is truly hidden.

Devices

As in Trusted Solaris 1.x software, devices have a label range and require authorization to operate. The Trusted Solaris 1.2 GUI, alloctool(1T), is replaced by the Device Manager, available from the subpanel (its title is Trusted Desktop) of the Style Manager.

26 Trusted Solaris 2.5 Transition Guide—July 1997 2

Unlike Solaris 2.5.1 device allocation, Trusted Solaris device allocation is not installed or backed out by the bsmconv(1MTSOL) and bsmunconv(1MTSOL) scripts. Device allocation is conﬁgurable by the appropriate administrator. Table 2-5 lists the administrative commands for device allocation.

Table 2-5 Device Command and File Changes

Operation Interfaces Origin/Change Inform system of new device add_drv(1MTSOL), rem_drv(1MTSOL) Solaris 2.5.1 driver, remove driver Allocate and deallocate device allocate(1MTSOL), Solaris 2.5.1, 1.x deallocate(1MTSOL)

Configure/query STREAMS autopush(1MTSOL) Solaris 2.5.1 modules pushed when device opened Create and query configurable devpolicy(1MTSOL) New in 2.5 device policy table in kernel Store device configuration /etc/security/tsol/device_policy New in 2.5 information Device clean scripts device_clean(1MTSOL) Solaris 2.5.1, 1.x List allocatable devices list_devices(1MTSOL) Solaris 2.5.1, 1.x Get device information from dminfo(1MTSOL) Solaris 2.5.1, 1.x device_maps file Configure /dev directory drvconfig(1MTSOL) Solaris 2.5.1

Auditing

Auditing in the Trusted Solaris 2.5 environment is similar in concept to Trusted Solaris 1.x auditing. It extends the Solaris 2.5.1 Basic Security Module (BSM) to include Trusted Solaris audit tokens, audit events, audit classes, and audit policy ﬂags. Auditing is turned on by default in the Trusted Solaris 2.5 environment. It can be disabled by running the bsmunconv(1MTSOL) script.

User and Administrator Transition 27 2

Table 2-6 shows the auditing compatibility between Trusted Solaris 2.5, Solaris 2.5.1, and Trusted Solaris 1.x versions. A Trusted Solaris 2.5 audit server can read Solaris 2.5.1 audit records, but cannot read Trusted Solaris 1.x audit records.

Table 2-6 Interoperability Between Audit Trail Formats

Audit Record Format TS 1.X Solaris 2.5.1 TS 2.5 TS 2.5 NYY Audit Servers Solaris 2.5 NYN TS 1.X YNN

Table 2-7 summarizes the changes in audit commands from the Solaris 2.5.1 implementation. The security policy is similar to Trusted Solaris 1.x policy.

Table 2-7 Modiﬁed from Base Solaris

Modiﬁcations Audit Command The calling process needs sys_audit to audit(1MTSOL) query the state of the system. audit_warn(1MTSOL) audit_startup(1MTSOL) auditd(1MTSOL)

Policy ﬂags added auditconfig(1MTSOL) auditstat(1MTSOL)

The calling process needs sys_audit to get auditreduce(1MTSOL) or set the operational state of the audit praudit(1MTSOL) module or the audit behavior of any audited process. bsmconv(1MTSOL) Auditing is enabled by default. Devices have bsmunconv(1MTSOL) been removed from bsmconv scripts.

28 Trusted Solaris 2.5 Transition Guide—July 1997 2

Table 2-8 summarizes the changes in audit ﬁles from the Solaris 2.5.1 BSM and from Trusted Solaris 1.x auditing.

Table 2-8 Changes in Audit Files from BSM and Trusted Solaris 1.x Auditing

Modiﬁcations Audit File Calling process needs sys_audit, audit_control(4TSOL) proc_audit_tcb proc_audit_appl , or to audit_data(4TSOL) read the ﬁles. audit_user(4TSOL) audit.log(4TSOL)

Trusted Solaris classes added audit_class(4TSOL) Trusted Solaris events added audit_event(4TSOL) Use audit_user(4TSOL) ﬁles passwd.adjunct(5)

By default, a regular user is not assigned a proﬁle that enables getting or setting audit parameters. The administrative role secadmin has the Audit Control proﬁle, whose commands inherit the sys_audit privilege for audit operations.

Printing

The Printer Manager in Trusted Solaris 2.5 can administer all print domains.

Trusted Solaris 2.5 labels printed output to meet the needs of environments where sensitivity information requires special handling. A banner (ﬁrst) and trailer (last) page are introduced to bound the printed output and provide information on the sensitivity label, information label, and handling caveats of the printed output and job ID. Top and bottom (information) labels are also applied to each printed page. While an authorized user can turn off information label printing, that event is auditable and not recommended.

The Solaris 2.5.1 printer output system has been modified in Trusted Solaris 2.5 to provide the printed output labeling and segregate the print queues by sensitivity label. This functionality provides the ability to print to any PostScript printer. PostScript files may be printed by authorized users only. An authorization is required because the labeling mechanism for PostScript files lacks the integrity that ASCII files have.

User and Administrator Transition 29 2

The new Printer Manager enables the system administrator to conﬁgure printers so printouts have banner and trailer pages, and to authorize individual users to use the printer to print PostScript.

A Solaris 2.5.1 workstation can be used as an unlabeled print server for Trusted Solaris 2.5 print jobs, but not the other way around.

Mail

Trusted Solaris 2.5 adds several privacy options to sendmail(1MTSOL) for security. Unlike Trusted Solaris 1.x, roles do not need to be added to an aliases ﬁle because roles are users, so at creation get a home directory and mail like other users.

The default multilevel mail utility is dtmail(1x). To use another mailer, such as the OpenWindows mailtool, see the Trusted Solaris Administrator’s Procedures manual.

User’s Workspace

The Trusted Solaris 2.5 operating system requires the use of the Common Desktop Environment (CDE). Trusted CDE supports a multilevel front panel, a trusted path menu, multiple workspaces for users and roles, window and icon labeling, a trusted stripe, trusted front panel applications, other desktop applications, and trusted drag ’n drop. Access to commands, CDE actions, and applications are restricted by execution proﬁles.

Front Panel

In Trusted Solaris 2.5, the front panel is a special multilevel window that provides mechanisms for starting applications at different labels. It contains a trusted File Manager, multilevel mail, a trusted editor, and a trusted Application Manager, plus other applications. Applications launched from the front panel are labeled with the current workspace’s label. A normal user does not have the authorization to change the contents of the front panel, or to place privileged applications in the Application Manager.

30 Trusted Solaris 2.5 Transition Guide—July 1997 2

Trusted Path Menu

The Switch Area menu of the Front Panel in CDE, invoked by left clicking with the mouse in the central area of the panel, is the Trusted Path (TP) menu in the Trusted Solaris 2.5 environment. The TP menu contains menu items to assume a role, change passwords, change the sensitivity label of the workspace, and other actions that affect the security of the system.

Multiple Workspaces

Trusted CDE supports multiple workspaces. By default, each user gets four workspaces named One, Two, Three, and Four. Upon login, each workspace is labeled with the user’s minimum sensitivity label. Applications launched from the front panel are started at this label. In a multilevel session, the sensitivity label of a workspace can be changed from the Trusted Path menu. As in base CDE, Trusted CDE user workspaces can be renamed, customized, deleted, and saved.

Role Workspaces

The Trusted Path menu also provides the mechanism for assuming roles. The menu presents a list of roles available to the user. If there is a list, the user selects a role. Once the role password is authenticated, a new workspace is created for that role with the role’s environment, minimum sensitivity label, user and group IDs, and environment variables. As with other workspaces, CDE actions taken in a role workspace are restricted to those deﬁned in the execution proﬁles assigned to the role. Unlike user workspaces, role workspaces are not saved in their entirety. Role applications cannot be saved, though workspace appearance, set through the Style Manager, can be saved.

Window and Icon Labeling

In Trusted Solaris 2.5, window and icon labels can be hidden.

Trusted Screen Stripe

In Trusted Solaris 2.5, when labels are hidden, the screen stripe is iconiﬁed. When labels are visible, the screen stripe is visible.

User and Administrator Transition 31 2

Trusted Front Panel Actions

The Application Manager and File Manager, desktop applications invoked from the front panel, have been modified to be trusted. They work seamlessly at multiple labels in one user session, as do most applications, such as multilevel mail. • The Application Manager and File Manager have been modified to consult the tsolprof(4TSOL) database before presenting or invoking actions. A user can invoke only those CDE actions defined in the profiles assigned to the user or role that the user has assumed. The restrictive and enabling attributes associated with profiles are also applied to the invocation of CDE actions.

The folders Solstice_Apps, for administering the distributed system, and System_Admin, for administering the local workstation, have been added to the Application Manager. A trusted editor is available from the action Admin Editor in the System_Admin folder. See “Trusted Solstice AdminSuite Administration” on page 13 and “Trusted Local Files Administration” on page 15 for details. • The File Manager provides interfaces for getting and setting Trusted Solaris ﬁle attributes such as labels and privileges. Users in an administrative role with the appropriate authorizations can use the interfaces. It has also been made aware of multilevel directories; all users can use the multilevel directories feature. • The mail icon for dtmail(1X) in the front panel has been modiﬁed to support multilevel mail. It displays the arrival of mail for users and active roles at each sensitivity label. The mailboxes are accessible from a subpanel menu above the mail icon. A mail reader corresponding to the sensitivity label of the incoming mail can be launched by clicking on the icon corresponding to that label.

Desktop Applications

CDE and OpenWindows applications should run with little modiﬁcation.

32 Trusted Solaris 2.5 Transition Guide—July 1997 2

Trusted Drag ‘n Drop

A user can have windows with different sensitivity labels in a workspace. Inter-window data moves between windows with different sensitivity labels must be authorized.

Interoperation

The Trusted Solaris 2.5 operating system interoperates with other network protocols, ﬁle systems, and Trusted Solaris 1.x windows and OpenWindows applications.

Network Protocols

Network connectivity between the Solaris 2.5.1 operating system and the Trusted Solaris 2.5 operating system by way of TCP, UDP, and IP is supported at a single sensitivity label. Various Internet Services available on the Solaris 2.5.1 operating system, such as rsh, rcp, rlogin, telnet, and ftp are supported at a single sensitivity label in either direction between Trusted Solaris 2.5 and Solaris 2.5.1 systems.

The Trusted Solaris 2.5 networking protocol is backwards compatible with Trusted Solaris 1.x networking protocol. Therefore, nonprivileged multilevel network interoperability between the two systems is supported. • Network ﬁle system – NFS operation is supported between Trusted Solaris 2.5 and Trusted Solaris 1.x systems at a single sensitivity label. • Internet services – Internet services including rlogin, telnet, and ftp are supported between Trusted Solaris 2.5 and Trusted Solaris 1.x systems at a single sensitivity label.

User and Administrator Transition 33 2

• Diskless Boot – Diskless boot is not supported between the Trusted Solaris 2.5 operating system and Trusted Solaris 1.x or Solaris 2.5.1 systems.

Note – To communicate with Trusted Solaris 1.x systems, root on the Trusted Solaris 2.5 system must be a member of the group wheel. wheel in Trusted Solaris 1.x is GID 0, but root group in Trusted Solaris 2.5 is GID 0, so give Trusted Solaris 2.5 wheel a different GID.

Privilege and Authorization Interoperability

The mapping between Trusted Solaris 1.x authorization names and authorization IDs, and privilege names and privilege IDs have not been preserved. For this reason, the Trusted Solaris 2.5 operating system supports only nonprivileged interoperation with Trusted Solaris 1.x hosts where no authorization checking takes place.

File System Interoperability

The Trusted Solaris 2.5 operating system supports most Solaris 2.5.1 file systems and maintains the file system interfaces. Solaris 2.5.1 file system objects are also supported.

File system mounting between Trusted Solaris 2.5 hosts and Solaris 2.5.1 hosts at a single label is supported.

For each file system type, Trusted Solaris 2.5 security attributes are specified when the file system is mounted. A single-label file system supports objects only at the label at which the file system was mounted. • ufs – Standard Solaris UNIX file system without Trusted Solaris attributes • nfs – Remote file system protocol (V2, V3, and V3 over TCP). • pcfs – MS-DOS formatted file system • hsfs – High Sierra file system for CD-ROM drives

NFS client and server functionality at a single sensitivity label is supported in either direction between Solaris 2.5.1 and Trusted Solaris 2.5. This includes secure NFS as well as NFS Version 3 (V3), V3 over TCP, and Version 2.

34 Trusted Solaris 2.5 Transition Guide—July 1997 2

Window Interoperability

Windows can be remotely displayed between Solaris 2.5.1 and Trusted Solaris 2.5 systems at a single sensitivity label. Authentication can occur based on host, secure remote procedure call (RPC) credential, or the default user ID set up for that workstation.

Nonprivileged, multilevel window interoperability is supported between Trusted Solaris 2.5 and Trusted Solaris 1.x systems. (See “Privilege and Authorization Interoperability” on page 34 for why privileges are not compatible).

Data Interchange

The tar(1TSOL) command with the -T option (to preserve security attributes) is the recommended method for porting data from a Trusted Solaris 1.x system to a Trusted Solaris 2.5 system. Files can be ported along with their attribute information, excluding privileges (see “Privilege and Authorization Interoperability” on page 34).

Dumping and restoring ﬁlesystems [ufsdump(1M), ufsrestore(1M)] between Trusted Solaris 2.5 and other systems is not supported.

Note – The tar(1TSOL) command is limited by directory depth: the directory name cannot be longer than 155 characters, and the ﬁlename cannot be longer than 100 characters.

Table 2-9 shows the effects of commands for transferring ﬁles to a Trusted Solaris 2.5 system.

Table 2-9 Moving Data to a Trusted Solaris 2.5 System

Moving Files from … Using command … Results in … Trusted Solaris 2.5 tar(1TSOL) cT files with tsol attributes System ufsdump(1M) files with all security attributes, when restored using ufsdump(1M) cpio(1) files with no security attributes pax(1) -x

User and Administrator Transition 35 2

Table 2-9 Moving Data to a Trusted Solaris 2.5 System

Moving Files from … Using command … Results in … Solaris 2.5.1 System tar(1) cp ﬁles with ACLs, without other security attributes tar(1) c ﬁles with no security attributes cpio(1) pax(1) -x

Trusted Solaris 1.x tar(1) cs ﬁles with security attributes System tar(1) csa minus privilege attributes tar(1) c ﬁles with no security attributes cpio(1) pax(1) -x

Table 2-10 shows the commands available in the Trusted Solaris 2.5 system, and their effects when transferring Trusted Solaris 2.5 ﬁles to other systems.

Table 2-10 Moving Data from a Trusted Solaris 2.5 System to Another System

Moving Files to … Using command … Results in … tar(1TSOL) cT files with all security attributes Trusted Solaris 2.5 ufsdump(1M) files with all security attributes, System when restored using ufsrestore(1M) cpio(1) files with no security attributes pax(1) -x Solaris 2.5.1 System tar(1TSOL) cp files with ACLs tar(1TSOL) c files with no security attributes cpio(1) files with no security attributes pax(1) -x Trusted Solaris 1.x tar(1TSOL) c unpredictable System tar(1TSOL) cT cpio(1) files with no security attributes pax(1) -x

Porting Applications

CDE applications are based on Motif 1.2.4. However, the Trusted Solaris 2.5 operating system supports and allows interoperability with OpenWindows applications based on the XView and OpenLook Interface Toolkit (OLIT) toolkits. The current version of these toolkits is 3.5.1.

36 Trusted Solaris 2.5 Transition Guide—July 1997 2

Most third-party applications will run in the Trusted Solaris 2.5 environment without modiﬁcation. In the Trusted Solaris 2.5 environment, multiple instances of third-party applications run at different sensitivity labels without privileges or errors. Motif-based applications should run with little modiﬁcation.

Trusted Solaris 1.x trusted applications must be re-coded for privilege and authorization changes in Trusted Solaris 2.5. It may be best to re-work the applications in Motif or as CDE actions.

Trusted Solaris 2.5 software packages now have Trusted Solaris security attributes as well as Solaris 2.5.1 attributes. The following security attributes can be set on files at package installation time: • CMW labels • ACLs • Allowed and forced privileges • Public object flag • MLD flag

Privilege Debugging

Programmers and administrators can test applications that require privileges without using auditing to detect a program’s use of privilege. Running applications in privilege debugging mode logs privilege failures while allowing applications to succeed. The log lists the privileges the program needs for successful operation. A role with appropriate access turns on privilege debugging mode by:

1. Setting the tsol_privs_debug switch in the /etc/system ﬁle to the value 1

2. Uncommenting the line tagged kern.debug in the /etc/syslog.conf ﬁle.

3. Issuing the command touch /var/log/privdebug.log to create the ﬁle.

4. Rebooting, entering a role workspace, and issuing the command runpd(1MTSOL) in a proﬁle shell [pfsh(1MTSOL)] to start the program in debug mode. The privdebug.log ﬁle logs the program’s privilege requirements.

User and Administrator Transition 37 2

New and Replaced Commands

The Trusted Solaris 2.5 operating system has changed or removed commands available in the Trusted Solaris 1.x releases, as well as added commands.

New User Commands

There are new user commands to do the following: • Get and set file system attributes. • Get and set file privilege sets. • Get process attribute flags, process clearance, process CMW label, and process effective privilege set. • Test file privilege sets and process effective privilege set. • Obtain information on kernel level network information and statistics.

New System Administration Commands

There are new system administration commands to do the following: • Start a restricted text editing environment. • Start the profile and system shells. • Address resolution display. • Convert ASCII labels to hexadecimal and back. • Manage auditing, streams, and device allocation. • Get and set file system and process attributes and attribute flags. • Set security attributes on a new file system. • Configure network interface parameters. • Link files and directories, mount and unmount file systems, check and repair file systems, and make local resources available for remote system mounting. • Show network status, create NIS+ tables, initialize NIS+ domain, capture and inspect network packets, send one-way stream of packets to host, check syntax of trusted network database, configure network daemon control parameters, start the trusted network daemon, write an audit record, and handle token maps.

38 Trusted Solaris 2.5 Transition Guide—July 1997 2

• Set echo requests, set system date from remote host, manipulate routing tables, run a command for privilege debugging, send mail over the internet,

Administrative and User Command Summary

Administrative commands are described in Trusted Solaris Administrator’s Procedures, and user commands are described in the Trusted Solaris User’s Guide. Table 2-11 lists the status of Trusted Solaris 1.x administrative and user commands ]in the Trusted Solaris 2.5 release. Administrative and user commands new in the Trusted Solaris 2.5 release are listed in Table 2-12 on page 41.

Note – Auditing and ACLs have been modiﬁed for the Trusted Solaris 2.5 release based on Solaris 2.5.1 source code. Therefore, commands in these areas are likely to be different from their Trusted Solaris 1.x versions.

Table 2-11 User and Administrative Trusted Solaris 1.x Commands

Trusted Solaris 1.x User Command Trusted Solaris 2.5 Equivalent acledit(1T) Trusted File Manager interface. add_ctab_obj(8T) Removed. adornfc(1T) adornfc(1TSOL) allocate(1T) allocate(1MTSOL)

ccheck(8T) Removed. chk_encodings(8T) chk_encodings(1MTSOL)

chpriv(8T) setfpriv(1TSOL) and File Manager dbck(8T) tnchkdb(1MTSOL) deallocate(1T) deallocate(1MTSOL)

del_ctab_obj(8T) Removed. dminfo(1T) dminfo(1MTSOL) getfacl(1T) getfacl(1) getlabel(1T) getlabel(1TSOL) -h option gets label of a symbolic link getmldadorn(1T) getmldadorn(1TSOL)

User and Administrator Transition 39 2

Table 2-11 User and Administrative Trusted Solaris 1.x Commands

Trusted Solaris 1.x User Command Trusted Solaris 2.5 Equivalent getplabel(1T) plabel(1TSOL) getppriv(1T) ppriv(1TSOL)

getsldname(1T) getsldname(1TSOL) -s option gets label of SLD install_ctabs(8T) Removed. labeld(8T) Removed. list_devices(1T) list_devices(1MTSOL) lspriv(1T) getfpriv(1TSOL)

mkctab(8T) Removed. mkdb(8T) Removed. mldpwd(1T) mldpwd(1TSOL) mldrealpath(1T) mldrealpath(1TSOL) -s option gets label of SLD newfs(8) newsecfs(1MTSOL) peeraudit(8C) rpc.getpeerinfod(1MTSOL)

privenable(8T) No longer documented. postmaster(1T) Removed. rpc.labeld(8T) Removed. rtp(8T) Removed. secuname(1T) uname(1TSOL) setfacl(1T) setfacl(1)

setlabel(1T) setlabel(1TSOL); -h option sets label of a symbolic link setlow(8T) setlabel(1TSOL) “admin_low[admin_low}” ﬁle sireport(8T) Removed. sync_ctab(8T) Removed. systsh (trusted system sysh(1MTSOL) shell)

tar(1T) -s option tar(1TSOL) -T option

40 Trusted Solaris 2.5 Transition Guide—July 1997 2

Table 2-11 User and Administrative Trusted Solaris 1.x Commands

Trusted Solaris 1.x User Command Trusted Solaris 2.5 Equivalent tcb_verify(8T) Removed. tfmedit, tfmvi(1T) adminvi(1MTSOL) tnet_kstats(8T) tninfo(1MTSOL) tnetd(8T) tnd(1MTSOL) tnetd_ctl(8T) tnctl(1MTSOL) tsh (trusted administrative shell) pfsh(1MTSOL)

Table 2-12 Trusted Solaris 2.5 New User and Administrative Commands

New Trusted Solaris Command Notes atohexlabel(1MTSOL) ASCII to hex label translation device_clean(1MTSOL) Clean devices after deallocation and before allocation devpolicy(1MTSOL) Load device policy into the kernel dl_booting(1MTSOL) Inform kernel of diskless booting state dl_restore(1MTSOL) Inform kernel of diskless booting state getfattrflag(1TSOL) Get security attribute flags for a file getfpriv(1TSOL) Get file privilege sets getfsattr(1MTSOL) Get file system security attributes hextoalabel(1MTSOL) Hex to ASCII label translation ipcrm(1TSOL) Remove SVIPC IDs from namespace ipcs(1TSOL) Get status of SVIPC mechanisms newsecfs(1MTSOL) Create file system with security attributes pattr(1TSOL) Get process attribute flags pclear(1TSOL) Get process clearance pfsh(1MTSOL) Profile shell ppriv(1TSOL) Get process effective privilege set

User and Administrator Transition 41 2

Table 2-12 Trusted Solaris 2.5 New User and Administrative Commands

New Trusted Solaris Command Notes pprivtest(1TSOL) Test file privilege sets and process effective privilege set rpc.getpeerinfod(1MTSOL) Daemon that transmits audit and process information rpc.tbootparamd(1MTSOL) Trusted Solaris boot parameter daemon runpd(1MTSOL) Run a command for debugging the command’s privilege requirements setfattrflag(1TSOL) Set security attribute flags for a file setfpriv(1TSOL) Set file privilege sets setfsattr(1MTSOL) Set security attributes on new file system tbootparam(1MTSOL) Inform rpc.tbootparamd that host is now labeled testfpriv(1TSOL) Test privilege sets associated with a file tnchkdb(1MTSOL) Check syntax of trusted network database files tnctl(1MTSOL) Configure Trusted Solaris network daemon tnd(1MTSOL) Trusted Solaris network daemon tninfo(1MTSOL) Obtain kernel level network information and statistics tokmapctl(1MTSOL) Configure token mapping daemon tokmapd(1MTSOL) Token mapping daemon writeaudit(1MTSOL) Write an audit record

42 Trusted Solaris 2.5 Transition Guide—July 1997 Programmer Transition 3

Programmers familiar with the Trusted Solaris 1.x system will ﬁnd the concepts of the Trusted Solaris 2.5 operating system familiar, but will notice extensive differences in the implementation. Programmers familiar with the Solaris 2.5.1 operating system will recognize the implementation but may be less familiar with the concepts.

The following table lists the major topics for this chapter.

Highlights page 44 Man Pages and Header File Locations page 46 Database Locations page 47 System Packaging Tools page 48 Changes to Programming Interfaces page 48 Label Interfaces page 49 Label Encodings File Interfaces page 51 Privilege Debugging page 54 Process Attributes and Flags Interfaces page 55 File System Attributes and Flags Interfaces page 57 User Database Interfaces – tsolprof and tsoluser page 59 Trusted X Window System page 62 Inter-Process Communication (IPC) page 64 CDE Desktop Applications page 69

43 3

Highlights

The Trusted Solaris 2.5 operating system is standards-based. Windowing is based on Motif 1.2.4, networking is based on TSIX (RE1.2), the desktop is based on CDE 1.02, and the operating system is based on the Solaris 2.5.1 operating system, which is moving toward 1170 compliance. The NIS+ name service, a distributed database, contains network information; Solstice AdminSuite is its administrative front end.

Table 3-1 gives the highlights of Trusted Solaris 2.5 features that affect programmers.

Table 3-1 Highlights of Trusted Solaris 2.5 Features

Area Highlighted Differences 1.x non-privileged applications Should run with little or no porting. 1.x privileged applications May require porting to handle privilege and authorization changes. Solaris 2.5.1 applications Should run with little or no porting. Trusted Solaris 2.5 applications Can wrap commands and executables in CDE actions and add Trusted Solaris attributes to application package. Applications should port easily to other platforms. 1.x Boot scripts Require porting to the Solaris 2.5.1 boot style. 1.x Audit scripts Require porting to read the Trusted Solaris 2.5 audit format. 1.x audit records are not readable by Trusted Solaris 2.5 audit system and vice versa. Access Control Lists (ACLs) Initially implemented in the Trusted Solaris 1.x operating system, ACLs are now part of the Solaris 2.5.1 operating system. Trusted Solaris 2.5 ACLS are modified versions of Solaris 2.5.1 ACLs, not of 1.x ACLs. Significant interface changes. Auditing New audit tokens, audit events, audit classes, and audit policies. Authorizations Changes in names; assigned to users and roles via execution profiles. Significant interface changes. Databases Many Trusted Solaris 1.x databases are no longer supported; others have been moved and/or renamed. Databases have been added. Significant interface changes. Desktop Now CDE, the common desktop environment for UNIX platforms. Significant interface changes.

44 Trusted Solaris 2.5 Transition Guide—July 1997 3

Table 3-1 Highlights of Trusted Solaris 2.5 Features

Area Highlighted Differences Desktop applications Applications (including OpenWindows applications) can be wrapped in a CDE action, and invoked from the front panel. Devices New policy implementation using the file device_policy(4TSOL). File system attributes File systems now have security attributes. Home directories Home directories are multilevel directories. Interoperability Trusted Solaris 2.5 is designed to promote interoperability by conforming to standards. Where 1.x did not conform to the same standards, interoperability is limited. Labels Labels are now configurable, including visibility, whether to enable ILs, and whether to float ILs. Minor interface changes. Man pages Trusted Solaris 2.5 man page sections end in tsol, such as man3tsol for library routines. Network Now based on TSIX (RE 1.2), that enables application portability to other UNIX platforms. Significant interface changes. Ports Now multilevel. Packaging applications Now have Trusted Solaris attributes on packages. Printing Now based on SVR4 standard, not BSD. Trusted NeWSprint no longer used. Significant interface changes. Privileges Changes in names, semantics, and assigning them to executables. Also, privilege debugging is now available. Significant interface changes. Processes Now multithreaded, with symmetric multiprocessing. Trusted Solaris 2.5 security attributes added to Solaris 2.5.1 attributes. Significant interface changes. Streams New trusted streams. User information Now in two databases, tsoluser and tsolprof, managed by NIS+. Significant interface changes. Window Manager Now dtwm, desktop window manager, the Motif base for CDE. Window system Now based on the Solaris 2.5.1 X11R5-based window system. New interfaces. X Toolkits Supports Motif, OpenLook, XView.

Programmer Transition 45 3

Man Pages and Header File Locations

Table 3-2 gives the Trusted Solaris 2.5 locations for man pages and header ﬁles. Trusted Solaris 1.x man pages appended a T to the man page name. Trusted Solaris 2.5 man pages have a TSOL extension and tsol is appended to the man page name. The Intro man pages explain Trusted Solaris concepts and provide a summary of the Trusted Solaris man pages.

Table 3-2 Man Page and Header File Locations

What Trusted Solaris 1.x Location Trusted Solaris 2.5 Location Trusted Solaris man pages /usr/man/man*t /usr/man/man*tsol Trusted Solaris user header ﬁles /usr/include/cmw/*.h /usr/include/tsol/*.h Label builder header /usr/include/cmw/lbuild.h /usr/dt/include/Dt/ModLabel.h Auditing header /usr/include/bsm/auditwrite.h /usr/include/bsm/auditwrite.h Label clipping header No equivalent. /usr/dt/include/Dt/label_clipping.h RPC header No equivalent. /usr/include/rpc/rpc.h IPC header No equivalent. /usr/include/sys/ipc/ipc/h SV Message Queue header No equivalent. /usr/include/sys/msg.h SV Semaphores header No equivalent. /usr/include/sys/sem.h SV Shared memory header No equivalent. /usr/include/sys/shm.h Trusted streams header No equivalent. /usr/include/sys/tsol/stream.h TSIX library header No equivalent. /usr/include/tsix/t6attrs.h System header ﬁles No equivalent. /usr/include/sys/tsol/*.h X11 header /usr/openwin/include/cmw/Xcmw.h /usr/openwin/include/tsol/Xtsol.h

46 Trusted Solaris 2.5 Transition Guide—July 1997 3

Database Locations

Table 3-3 gives the directory locations for databases. Database man pages are stored in the .../man4tsol directory. For a complete list of databases, see Table 2-1 on page 11.

Table 3-3 Trusted Solaris 2.5 Database Directories

Directory Database Description / Dot files, such as .login and .profile, are not read at startup. /etc Contains standard Solaris files, such as nsswitch.conf, some extended for Trusted Solaris 2.5, such as system., and new databases, such as tsolgateways /etc/rcn.d Contains scripts called during booting. /etc/inet.d Contains daemon information. May need to be altered for daemons that handle multilevel applications. /etc/security Contains audit configuration files. /etc/security/tsol Contains Trusted Solaris databases. /usr/dt/ Contains CDE and window manager databases.

New Network Database Interfaces – tnrhdb and tnrhtp

The tnrhdb(4TSOL) database is the equivalent of the Trusted Solaris 1.x TNETRHDB. However, it simpliﬁes entries for a host or domain by pointing to a template of security attributes found in the tnrhtp(4TSOL) database. The tnidb(4TSOL) database is the (local) network interface database. Its format is similar to tnrhdb. The programming interfaces that affect hosts are listed in Table 3-4 on page 48.

A tnrhdb entry has: • host IP address • template name (from tnrhtp)

A tnrhtp entry for an unlabeled host consists of: • template name • host type • default label • default clearance

Programmer Transition 47 3

• default UID • default GID • forced privileges

Entries for labeled hosts have ﬁelds speciﬁc to those host types. See the tnrhtp(4TSOL) man page for details. Host types are discussed in “Network” on page 19.

The system call in Table 3-4 affects network host labeling in the kernel:

Table 3-4 Kernel Host Information API

Operation Interaface Change the view of a host between labeled and chstate(2TSOL) unlabeled

System Packaging Tools

The system packaging tools have been enhanced in the Trusted Solaris 2.5 release with Trusted Solaris 2.5 attributes. The system packaging tools are based on the Solaris tools that provide both the means to package components and the foundation for the patch mechanism.

Changes to Programming Interfaces

Applications coded for the Trusted Solaris 1.x environment may need recoding because of changes to the Trusted Solaris 1.x application programming interfaces (APIs). The Trusted Solaris 2.5 and 1.x releases are not binary compatible, and a binary compatibility package is not provided.

For programming interfaces that have not changed from the Solaris 2.5.1 operating system, see Solaris 1.x to Solaris 2.x Transition Guide and the Solaris 2.5.1 document set.

For full alphabetical listing of programming interfaces that have changed from the Solaris 2.5.1 operating system, are unique to Trusted Solaris releases, or have been removed in this version of the Trusted Solaris operating system, see Appendix A, “Trusted Solaris Programming Interfaces.”

48 Trusted Solaris 2.5 Transition Guide—July 1997 3

Devices

Device allocation programming interfaces have been removed from Trusted Solaris 2.5 and not replaced. The library routines allowed a program to read the information in the device_allocate(4TSOL) and device_maps(4TSOL) ﬁles. The removed interfaces are listed in Table A-7 on page 91. In the Trusted Solaris 2.5 environment, the user interface for device allocation is restricted to the device allocation GUI program launched from the Trusted Path menu.

Device security policy is conﬁgurable in the device_policy(4TSOL) ﬁle.

Unlike devices in the Solaris 2.5.1 environment, Trusted Solaris 2.5 devices are not affected by the bsmconv(1MTSOL) and bsmunconv(1MTSOL) scripts.

Label Interfaces

The labels and clearance API has had a few minor parameter list and binary format changes. Recompiling should handle any differences between Trusted Solaris 1.x and Trusted Solaris 2.5 labels, although some recoding may be necessary. • There are now 256 bits available for compartments and an additional 256 bits available in information labels for markings, up from 128 in Trusted Solaris 1.x. There are 32767 bits set aside for classifications, with ADMIN_LOW defined as 0 and ADMIN_HIGH defined as 32767. • The Trusted Solaris 1.x label view environment variable, SUNW_CMW_LABEL_VIEW, is now the label view process attribute flag PAF_LABEL_VIEW.

Programmer Transition 49 3

Table 3-5 lists the new library routines for labels and clearances. Table 3-6 lists the modiﬁed library routines for labels and clearances.

Table 3-5 New API for Labels and Clearances

Operation Interfaces Symbolic link CMW label lsetcmwlabel(2TSOL) Re-entrant binary to hexadecimal conversion bcleartoh_r(3TSOL) bcltoh_r(3TSOL) biltoh_r(3TSOL) bsltoh_r(3TSOL)

Space for hexadecimal value h_alloc(3TSOL) h_free(3TSOL)

ASCII and hexadecimal conversion atohexlabel(1MTSOL) hextoalabel(1MTSOL)

X Window string conversion Xbcleartos(3TSOL) Xbcltos(3TSOL) Xbiltos(3TSOL) Xbsltos(3TSOL)

Table 3-6 Modiﬁed Label Commands and API

Operation Interfaces Modiﬁcation File CMW label fsetcmwlabel(2TSOL) Constant parameter now in list setcmwlabel(2TSOL) and new structure Process CMW label setcmwplabel(2TSOL) New structure Hexadecimal to binary conversion htobcl(3TSOL) Constant parameters now in list htobclear(3TSOL) htobil(3TSOL) htobsl(3TSOL)

Binary to ASCII conversion bcleartos(3TSOL) bcltobanner(3TSOL)

50 Trusted Solaris 2.5 Transition Guide—July 1997 3

Table 3-6 Modiﬁed Label Commands and API

Operation Interfaces Modiﬁcation ASCII to binary conversion sbcleartos(3TSOL) sbcltos(3TSOL) sbiltos(3TSOL) sbsltos(3TSOL) setbltype(3TSOL) stobcl(3TSOL) stobil(3TSOL)

Comparison bilconjoin(3TSOL) bildominates(3TSOL) bilequal(3TSOL)

Bounds blmaximum(3TSOL) blminimum(3TSOL)

Get ASCII color name bltocolor(3TSOL) Find label type bltype(3TSOL) Get label_encodings ﬁle version labelvers(3TSOL)

Label Encodings File Interfaces

Table 3-7 lists the interfaces to access label encodings ﬁle information:.

Table 3-7 New API for Labels and Clearances

Operation Interfaces Get ASCII color name for a binary label. bltocolor(3TSOL) Get ASCII color name for a binary label, reentrant. bltocolor_r(3TSOL) Get maximum string length speciﬁcations. labelinfo(3TSOL) Get the label encodings ﬁle version information. labelvers(3TSOL)

Label Builder Interfaces

Label builder interfaces in the Trusted Solaris 2.5 release are based on Motif 1.2.4 rather than Open Look Interface Toolkit (OLIT). The cmw_accred_dialog() and cmw_lbuild_update_values() routines are

Programmer Transition 51 3

new. The cmw_lbuild_destroy() and event_handler() routines are gone due to implementation changes in the label building interfaces. The man page directory has changed to man3tsol. Table 3-8 lists the label builder interfaces.

Table 3-8 Label Builder Interfaces

Operation Interfaces cmw_accred_dialog(3tsol)

Create a label builder. cmw_lbuild_create(3tsol) Get values. cmw_lbuild_get(3tsol) Set values. cmw_lbuild_set(3tsol) Update values. cmw_lbuild_update_values(3tsol)

Privilege Interfaces

Because the privilege and authorization sets have changed greatly between the Trusted Solaris 1.x versions and the Trusted Solaris 2.5 release, privileges and authorizations cannot be exchanged between releases. Therefore, only nonprivileged interoperation is supported; no authorization checking takes place. There is no compatibility library. See Appendix B, “Privileges and Authorizations Transition” for lists of removed and added privileges. • File and process privilege set interfaces have new names. • There are new interfaces for translating privilege manifest constant names. • The Trusted Solaris 1.x Trusted Path privilege sys_trusted_path is now a process attribute ﬂag. • Privilege sets are now stored in a structure instead of an array. The priv_set_t data type is now a structure instead of an array. • The mapping between privilege names and privilege IDs of the Trusted Solaris 1.x releases has not been preserved. • Process privilege set updating has been changed when a new program is executed with exec(2TSOL). The change provides better security and improved privilege inheritance. The formulas for each release are shown. In the formulas, E means effective privilege, P is permitted, I is inherited, S is Saved, F is forced, and A is allowed privilege sets. • Trusted Solaris 1.x privilege set updating

52 Trusted Solaris 2.5 Transition Guide—July 1997 3

E2 = P2 = I2 = (I1 union F) intersected by A. S2 = I1 intersected by A • Trusted Solaris 2.5 privilege set updating

E2 = P2 = (I1 union F) intersected by A. S2 = I1 intersected by A I2 = I1. A process with an empty allowed set can pass inheritable privileges.

See "Why Inheritable Privileges Are Important" in Chapter 16 of the Trusted Solaris Administrator’s Procedures.

Table 3-9 lists the new and modiﬁed Trusted Solaris 2.5 privilege interfaces.

Table 3-9 Privilege API Changes

Operation Interfaces Origin/Change Get and set ﬁle privilege getfpriv(2TSOL) Modiﬁed 1.x sets setfpriv(2TSOL) (new structure) fgetfpriv(2TSOL) fsetfpriv(2TSOL)

Get and set process getppriv(2TSOL) privilege sets setppriv(2TSOL) Convert privileges priv_to_str(3TSOL) str_to_priv(3TSOL)

Set process privilege sets set_effective_priv(3TSOL) New in 2.5. set_inheritable_priv(3TSOL) set_permitted_priv(3TSOL)

Convert privileges priv_set_to_str(3TSOL) str_to_priv_set(3TSOL) get_priv_text(3TSOL)

Programmer Transition 53 3

Privilege Macros

The man page priv_macros(5TSOL) describes the Trusted Solaris 2.5 privilege macros. Some macros have the same name as in the Trusted Solaris 1.x operating system, but their parameter lists or data types are slightly different.

Table 3-10 Changes to Privilege Macros

Present in Both Releases Removed from Trusted Solaris 2.5 Added in Trusted Solaris 2.5 PRIV_ASSERT PRIV_COPY PRIV_ISFULL PRIV_ISASSERT PRIV_FILL PRIV_EMPTY PRIV_EQUAL PRIV_ISEMPTY PRIV_CLEAR PRIV_INTERSECT PRIV_UNION PRIV_XOR PRIV_INVERSE PRIV_ISSUBSET

Privilege Debugging

In the Trusted Solaris 2.5 operating system, privilege debugging mode logs privilege failures while allowing applications to succeed. The log lists the privileges the program needs for successful operation. A role with appropriate access enables privilege debugging by:

1. Setting the tsol_privs_debug switch in the /etc/system ﬁle to the value 1. This ﬁle is ADMIN_LOW and the owner is root.

2. Uncommenting the line tagged kern.debug in the /etc/syslog.conf ﬁle. This ﬁle is ADMIN_LOW and the owner is sys.

3. Issuing the command touch /var/log/privdebug.log to create the ﬁle if it does not yet exist. This ﬁle is ADMIN_HIGH and the owner is root.

54 Trusted Solaris 2.5 Transition Guide—July 1997 3

4. Rebooting and issuing the command runpd(1MTSOL) from an administrative role to start the program in debug mode.

Authorization Interfaces

Because the authorization set has changed greatly between the Trusted Solaris 1.x versions and the Trusted Solaris 2.5 release, authorizations cannot be exchanged between releases. There is no compatibility library. • Authorization sets are now stored in a structure. • The mapping between authorization names and authorization IDs of the Trusted Solaris 1.x operating system has not been preserved.

Table 3-11 lists the new authorization interfaces.

Table 3-11 Trusted Solaris 2.5 Authorization API Changes

Operation Interfaces Origin/Change Check authorizations chkauth(3TSOL) Replaces check_authorization(3T) Convert authorizations auth_to_str(3TSOL) New str_to_auth(3TSOL) auth_set_to_str(3TSOL) str_to_auth_set(3TSOL)

Free authorization set free_auth_set(3TSOL) Get authorization description get_auth_text(3TSOL)

The removed interfaces are listed in Table A-7 on page 91.

Process Attributes and Flags Interfaces

The Trusted Solaris 2.5 operating system has extended the Solaris 2.5.1 process attributes as shown in Table 3-12. These attributes are used to make access control decisions when a process tries to read or write data. For multithreaded

Programmer Transition 55 3

applications, all threads share a single view of the process security attributes. Table 3-13 on page 56 lists the new programming interfaces for manipulating these attributes.

Table 3-12 Security Attributes Available in the Trusted Solaris 2.5 Operating System

Base Solaris Security Attributes Trusted Solaris Security Attributes Effective user ID Sensitivity label Effective group ID Information label Process ID Process clearance Network session ID Effective privilege set Supplementary group IDs Process attribute ﬂags Audit ID Audit information (process preselection mask, audit terminal ID, and audit session ID)

As in the Solaris 2.5.1 implementation, all threads of a program share a single view of process security attributes. When a thread makes a change to process security attributes, the new attributes are picked up by other threads the next time those threads enter kernel mode (such as making a system call). If a thread is in the middle of a system call while other threads are changing process security attributes, the new attributes would not be seen by the thread until it ﬁnishes the current system call. That is, process security attributes of a thread are kept stable during the course of a system call.

Table 3-13 Process Command and API Changes

Operation Interfaces Change Process CMW Label setcmwplabel(2TSOL) New structure Process clearance pclear(1TSOL) New Process CMW label plabel(1TSOL) New Process privilege sets ppriv(1TSOL) New pprivtest(1TSOL)

56 Trusted Solaris 2.5 Transition Guide—July 1997 3

Table 3-13 Process Command and API Changes

Operation Interfaces Change Process security attributes pattr(1TSOL) New Process privilege sets getppriv(2TSOL) New setppriv(2TSOL)

Process security attribute ﬂags getpattr(2TSOL) New setpattr(2TSOL)

File System Attributes and Flags Interfaces

The Trusted Solaris 2.5 operating system extends the Solaris 2.5.1 ﬁle system attributes to include Trusted Solaris security attributes. Since privilege sets have also changed from the Trusted Solaris 1.x operating system, there are several changes to ﬁle system interfaces.

Table 3-14 lists the new or modified Trusted Solaris 2.5 interfaces to access file system security attributes and flags.

Table 3-14 Unique to Trusted Solaris 2.5 File System Interfaces

Operation File System API Origin/Change Get and set ﬁle system security attributes fgetfsattr(2TSOL) New getfsattr(2TSOL)

Get single-level directory names fgetsldname(2TSOL) Supports new sld names getsldname(2TSOL)

Get multilevel directory adornment fgetmldadorn(2TSOL) Parameter list change getmldadorn(2TSOL)

Programmer Transition 57 3

Table 3-15 lists the Trusted Solaris 2.5 interfaces that are new or modiﬁed for ﬁles.

Table 3-15 Unique to Trusted Solaris 2.5 File Interfaces

Operation File System API Origin/Change Get and set security attribute ﬂags fgetfattrflag(2TSOL) New getfattrflag(2TSOL)

Get and set ﬁle privilege sets getfpriv(2TSOL) New structure fgetfpriv(2TSOL) setfpriv(2TSOL) fsetfpriv(2TSOL)

Get multilevel directory ﬁle statistics mldstat(2TSOL) Parameter list change mldlstat(2TSOL)

Access Control Lists

Trusted Solaris 2.5 Access Control Lists (ACLs) are implemented as Solaris 2.5.1 ACLs are. The Solaris 2.5.1 operating system has made a number of changes to the ACL application programming interfaces; the ACLs in Trusted Solaris 2.5 are based on the re-implementation, not on the ACL implementation shipped with Trusted Solaris 1.x releases. There are no plans to provide a compatibility library.

The Trusted Solaris 2.5 operating system has extended the support for ACLs to include the tmpfs ﬁle system.

Table 3-16 lists the Trusted Solaris 2.5 ACL interfaces that are new or modiﬁed from the Trusted Solaris 1.x implementation.

Table 3-16 ACL Interface Changes

Operation ACL Interface Get or set ﬁle’s ACL acl(2TSOL), facl(2TSOL) Check validity aclcheck(3) Convert to internal representation aclfromtext(3) Sort ACL aclsort(3)

58 Trusted Solaris 2.5 Transition Guide—July 1997 3

Table 3-16 ACL Interface Changes

Operation ACL Interface Convert an ACL to permission bits acltomode(3) acltopbits(3)

Convert to external representation acltotext(3)

ACLs are a ﬁle system attribute. Trusted Solaris 2.5 programming interfaces to retrieve ﬁle system attributes were described in “File System Attributes and Flags Interfaces” on page 57.

User Database Interfaces – tsolprof and tsoluser

The Trusted Solaris 2.5 operating system has new interfaces to access user entries in the tsoluser(4TSOL) database and execution proﬁle entries in the tsolprof(4TSOL) database. Table 3-17 lists the library routines for accessing user information.

Table 3-17 Library Routines to Access Execution Proﬁle and User Information

Execution Proﬁle Library Routines User Library Routines getprofent(3TSOL) getuserent(3TSOL) getprofentbyname(3TSOL) getuserentbyname(3TSOL) getprofstr(3TSOL) getuserentbyuid(3TSOL) getprofstrbyname(3TSOL) endprofent(3TSOL) enduserent(3TSOL) endprofstr(3TSOL) free_profent(3TSOL) free_userent(3TSOL) free_profstr(3TSOL) setprofent(3TSOL) setuserent(3TSOL) setprofstr(3TSOL)

Programmer Transition 59 3

Execution Proﬁle Database Entries

Execution profiles define the authorizations, commands, and actions a particular user or role can use. Profiles replace a number of Trusted Solaris 1.x databases, such as authoriz, ctab_list, tcb_dynamic, tcb_static, tfm_role.cmds, tfm_role.fncs, user.cmw_labels, and user.login_ctrl.

Note – In the Trusted Solaris 2.5 release, there is no consistency checking. However, proﬁles reduce reliance on forced privileges for security-relevant ﬁles.

The tsolprof(4TSOL) database entries consist of multiple lines of text, containing at least the following five fields: • profile • description • authorizations • actions • commands

The action ﬁeld consists of: • action name • class • type • argument mode • argument count • privileges • effective user id • effective group id • minimum sensitivity label • maximum sensitivity label

The command ﬁeld consists of • directory • ﬁle name • privileges • effective user id • effective group id • minimum sensitivity label

60 Trusted Solaris 2.5 Transition Guide—July 1997 3

• maximum sensitivity label

User Database Entries

The tsoluser(4TSOL) database entries consist of multiple lines of text with the following fields: • username • user account status (locked, open) • number of failed logins • method of password generation • associated execution profiles • assumable roles • minutes a workstation can remain idle • what to do when idle time is reached • label view – whether internal (display ADMIN_HIGH and ADMIN_LOW) or external (demote ADMIN_HIGH to next lowest external label and promote ADMIN_LOW next highest external label). • label translation – When on, label translation means the flags= keyword option is in use in the label_encodings file. • allowed low login labels • allowed high login labels • type of user (regular, admin role, non-admin role) • three reserved fields.

Auditing

The Trusted Solaris 2.5 auditing interfaces are very similar in concept to the audit interfaces provided in the Trusted Solaris 1.x operating system, but are very similar in implementation to those provided in SunOS 5.x. Trusted Solaris 2.5 extends the Solaris 2.5.1 Basic Security Module (BSM) to include audit classes, events, and tokens that are speciﬁc to Trusted Solaris, and includes Trusted Solaris security attributes in its audit records. It also has the framework for per-ﬁle auditing, but does not support it in this release.

Programmer Transition 61 3

Table 3-18 lists the auditing interfaces that are modiﬁed from the Solaris 2.5.1 BSM.

Table 3-18 Auditing Modiﬁcations from the Base

Trusted Solaris Changes Auditing API Calling process needs proc_audit_tcb or audit(2TSOL) proc_audit_appl

Trusted Solaris audit ﬂags added auditon(2TSOL) Calling process needs sys_audit auditsvc(2TSOL) To get or set the audit ID, the calling process needs getauid(2TSOL) sys_audit. To get the audit ID, the calling process needs proc_audit_appl (if the process generates non-TCB events). or proc_audit_TCB (if the process generates TCB events). Calling process needs sys_audit setauid(2TSOL)

Table 3-19 lists the auditing interface changes from the Trusted Solaris 1.x operating system.

Table 3-19 Auditing Modiﬁcations from Trusted Solaris 1.x

Trusted Solaris Changes Auditing API Removed from Trusted Solaris 2.5 auditstat(2) Calling process needs proc_audit_appl to construct auditwrite(3TSOL) user-level audit records and proc_audit_tcb to construct TCB audit events. Calling process needs proc_audit_appl to get peer’s getpeerinfo(3TSOL) attributes. Calling process needs sys_audit and proc_audit_appl getaudit(2TSOL) or proc_audit_tcb to get audit information. Calling process needs sys_audit to set audit information. setaudit(2TSOL)

Trusted X Window System

The Trusted Solaris 2.5 X Window System is based on and generally compatible with the Solaris 2.5.1 X11R5-based window system. The Trusted Solaris 2.5 window system adds access control to all X resources that are accessible through the X protocol.

62 Trusted Solaris 2.5 Transition Guide—July 1997 3

Although restrictions apply to virtually every protocol request, the security policy is transparent to most commercial applications. Inappropriate access is denied, and the event is auditable.

X Protocol Extensions

The Trusted Solaris 2.5 operating system has extended the X Protocols to restrict data ﬂow according to security policy. Most access operations will function normally; however, some operations, such creating a new colormap, require privilege.

The Trusted Solaris 1.x Trusted X server interfaces, based on the X11R4 library and the Xnews server, have been replaced by the Trusted X11R5 server library, which implements the Xsun server. The interfaces do not map one-to-one. Applications coded for Trusted Solaris 1.x Trusted X server interfaces must be recoded. There are no plans to provide a compatibility library.

Table 3-20 lists interfaces accessing X window system security attributes. The removed interfaces are listed in Table A-7 on page 91.

Table 3-20 X WIndow System Interfaces Unique to the Trusted Solaris 2.5 release

Operation Trusted Solaris 2.5 X Protocol Extensions Test for Trusted Path window XTSOLIsWindowTrusted(3X11TSOL) Create Trusted Path window XTSOLMakeTPWindow(3X11TSOL) Get client connection attributes XTSOLgetClientAttributes(3X11TSOL) Get property attributes XTSOLgetPropAttributes(3X11TSOL) Get property CMW label XTSOLgetPropLabel(3X11TSOL) Get property user ID XTSOLgetPropUID(3X11TSOL) Get window, colormap, or pixmap attributes XTSOLgetResAttributes(3X11TSOL) Get window, colormap, or pixmap CMW label XTSOLgetResLabel(3X11TSOL) Get window, colormap, or pixmap user ID XTSOLgetResUID(3X11TSOL) Get screen stripe height XTSOLgetSSHeight(3X11TSOL) Get window input information label XTSOLgetWindowIIL(3X11TSOL) Get server user ID XTSOLgetWorkstationOwner(3X11TSOL) Set polyinstantiation information XTSOLsetPolyInstInfo(3X11TSOL)

Programmer Transition 63 3

Table 3-20 X WIndow System Interfaces Unique to the Trusted Solaris 2.5 release

Operation Trusted Solaris 2.5 X Protocol Extensions Set property CMW label XTSOLsetPropLabel(3X11TSOL) Set property user ID XTSOLsetPropUID(3X11TSOL) Set resource CMW XTSOLsetResLabel(3X11TSOL) Set resource user ID XTSOLsetResUID(3X11TSOL) Set screen stripe height XTSOLsetSSHeight(3X11TSOL) Set session clearance XTSOLsetSessionHI(3X11TSOL) Set minimum lsbel XTSOLsetSessionLO(3X11TSOL) Set window input information label XTSOLsetWindowIIL(3X11TSOL) Set server user ID XTSOLsetWorkstationOwner(3X11TSOL)

Inter-Process Communication (IPC)

Trusted Solaris 2.5 has two primary interprocess communication mechanisms: System V Inter-Process Communications (SVIPC) which provides only intra- machine paths, and networking, that provides both intra- and inter-machine communication paths.

System V IPC

The Trusted Solaris 2.5 operating system enhances Solaris 2.5.1 system calls to handle labels and other security features. The Trusted Solaris 1.x SVIPC system calls are unchanged in this release, except that aclipc(2T) system call is not included and semopl(2TSOL) has been added.

Note – Since the privilege mechanism is different from the Trusted Solaris 1.x implementation, read the man pages for details.

64 Trusted Solaris 2.5 Transition Guide—July 1997 3

Table 3-21 lists the Solaris 2.5.1 interfaces enhanced for security. Trusted Solaris 1.x SVIPC interfaces are listed in Table A-1 on page 72.

Table 3-21 SVIPC Interfaces Enhanced in the Trusted Solaris 2.5 Releases

Enhancements SVIPC Interfaces Checks that object is at subject’s msgctl(2TSOL) semget(2TSOL) sensitivity label. If not, checks that msgget(2TSOL) semop(2TSOL) the calling process asserts the appropriate privilege override. msgrcvl(2TSOL) shmat(2tsol) msgsndl(2TSOL) shmctl(2TSOL) semctl(2TSOL) shmdt(2tsol) shmget(2TSOL)

Endpoint Communications Interfaces

The Berkeley sockets and Transport Layer (TLI) interfaces have been modiﬁed to recognize and create multilevel ports.

Table 3-22 Solaris 2.5.1 Socket Interfaces Modiﬁed for Security and Multilevel Ports

Trusted Solaris 2.5 Changes Changed Interfaces Modiﬁed to identify multilevel ports. Binding accept(3NTSOL) net_mac_read process needs privilege. bind(3NTSOL) connect(3N) getsockopt(3N) recv(3N) recvfrom(3ntsol) recvmsg(3ntsol)

Modiﬁed to send packets at same label as preceding send(3NTSOL) net_reply_equal packet. Calling process needs sendmsg(3NTSOL) privilege. sendto(3NTSOL) socket(3N) socketpair(3N)

Programmer Transition 65 3

Table 3-23 Solaris2.5.1 TLI Interfaces Modiﬁed for Security and Multilevel Ports

Trusted Solaris 2.5 Changes Changed Interfaces Modiﬁed to identify multilevel ports. Binding t_accept(3NTSOL) net_mac_read process needs privilege. t_bind(3NTSOL) t_alloc(3N) t_close(3N) t_connect(3N) t_error(3N) t_free(3N) t_getinfo(3N) t_getstate(3N) t_listen(3N) t_look(3N) t_open(3N) t_optmgmt(3NTSOL) t_rcvconnect(3N) t_rcvdis(3N) t_rcvrel(3N) t_rcvudata(3N)

Modiﬁed to identify multilevel ports. Binding t_snd(3NTSOL) net_mac_read process needs privilege. t_snddis(3N) t_sndrel(3N) t_sndudata(3N) t_strerror(3N) t_sync(3N) t_unbind(3N)

66 Trusted Solaris 2.5 Transition Guide—July 1997 3

Trusted Security Information Exchange Library (TSIX)

Trusted Solaris 1.x trusted network interfaces have been replaced by the Trusted Security Information eXchange (TSIX (RE 1.2)) library for transporting security attribute information over communication endpoints. The old and new interfaces do not map one-to-one. Trusted Solaris 1.x applications must be recoded to use the TSIX library. There are no plans to provide a compatibility library.

The TSIX library promotes portability of trusted applications. Though not required for interoperability, it greatly assists third-party software developers who write distributed applications for multiple platforms. See Table 3-12 for the lists of Solaris 2.5.1 and Trusted Solaris 2.5 security attributes.

Table 3-24 lists the new TSIX library routines. The removed interfaces are listed in Table A-7 on page 91.

Table 3-24 Network Interfaces Unique to Trusted Solaris 2.5

Operation 2.5 Network Interfaces Allocate space t6alloc_blk(3NTSOL) Duplicate attributes t6dup_blk(3NTSOL) Enable security options t6ext_attr(3NTSOL) Free space t6free_blk(3NTSOL) Get security attributes t6get_attr(3NTSOL) Get endpoint attributes t6get_endpt_default(3NTSOL) Get endpoint attributes t6get_endpt_mask(3NTSOL) Return new attributes only t6new_attr(3NTSOL) Examine attributes t6peek_attr(3NTSOL) Receive data and attributes t6recvfrom(3NTSOL) Send data and attributes t6sendto(3NTSOL) Set security attributes t6set_attr(3NTSOL) Set endpoint default attributes t6set_endpt_default(3NTSOL) Get size of one attribute t6size_attr(3NTSOL) Create mask of system supported t6supported_attrs(3NTSOL) attributes.

Programmer Transition 67 3

Table 3-24 Network Interfaces Unique to Trusted Solaris 2.5

Operation 2.5 Network Interfaces Create mask from space allocated. t6allocated_attrs(3ntsol) Create mask from attributes t6present_attrs(3ntsol) Examine attributes on last data byte. t6last_attr(3ntsol) Copy attributes. t6copy_blk(3NTSOL) Compare attributes. t6cmp_attrs(3NTSOL) Clear security attributes t6clear_blk(3NTSOL) Set the endpoint attribute mask. t6set_endpt_mask(3NTSOL) Backwards compatibility. t6ext_attr(3NTSOL)

RPC Interfaces

Trusted Solaris 2.5 RPC library routines have been modified to handle the transportation of security attribute information. Data structures have been modified to contain the attributes, and RPC calls have been modified to transport the attributes in the structure. See the rpc(3NTSOL) man page for more information.

New Multilevel Ports

In the Trusted Solaris 2.5 operating system, all communication endpoints are either multilevel or single-level ports to support unmodiﬁed applications in a trusted environment. In the Trusted Solaris 1.x operating system, only single- level ports were supported. • Multilevel port – A network endpoint associated with all sensitivity labels. • Single-level port – A network endpoint associated with one sensitivity label.

A multilevel or single-level port is created when an endpoint is bound. If the binding process has net_mac_read, the port is a multilevel port. Otherwise, it is a single-level port.

A multilevel port can receive data with any sensitivity label, while a single-level port can receive only data with the matching label.

68 Trusted Solaris 2.5 Transition Guide—July 1997 3

Trusted Streams

The Solaris 2.5.1 streamio(7) device network interface is modiﬁed. It runs below other Trusted Solaris 2.5 networking interfaces and is not usually used directly. The Trusted Streams interfaces let you send and receive security attribute information across a stream. They are new in the Trusted Solaris 2.5 operating system. Table A-2 on page 74 lists the modiﬁed and new interfaces.

CDE Desktop Applications

Applications are launched from the CDE desktop as CDE actions. The Trusted Solaris 2.5 operating system fully supports applications written with CDE interfaces and the following X Toolkits: • Motif 1.2.4 • XView (current version is 3.5.1) • OpenLook Interface Toolkit (OLIT) (current version is 3.5.1)

Note – Any toolkit that conforms to the Inter-Client Communications Conventions Manual (ICCCM) standards should function properly. However, the Motif toolkit provides maximum portability.

CDE applications shipped with the Trusted Solaris 2.5 release are based on Motif 1.2.4. However, Trusted Solaris 2.5 supports and allows interoperability with OpenWindows applications based on the XView and OpenLook Interface Toolkit (OLIT) toolkits.

Motif-based applications should run in the Trusted Solaris 2.5 environment with little or no modiﬁcation. See the Solaris Common Desktop Environment: Motif Transition Guide, PN 802-2962-10 (June 1995) manual for Motif to Solaris porting issues. Colormaps, for example, are handled differently.

Possible Trusted Solaris modifications to existing applications include: creating a multilevel directory for program files, adding properties created by the application to the file /usr/openwin/server/tsol/property.atoms so that the properties can be polyinstantiated, and root (UID=0) permission during installation.

Note – Use runpd(1MTSOL) to check for privilege requirements. See “Privilege Debugging” on page 54 for details.

Programmer Transition 69 3

CDE enables you to wrap commands and executables in CDE actions that can be invoked by clicking on an icon in the front panel. CDE action creation is unmodiﬁed in the Trusted Solaris 2.5 environment. See the CDE document set for programming guidelines. See for restrictions on CDE action assignment.

For See: Common Desktop Environment Programming style Style Guide and Certiﬁcation Checklist Online help Help System Author’s and Programmer’s Guide Creating actions Advanced User’s and System Administrator’s Guide

70 Trusted Solaris 2.5 Transition Guide—July 1997 Trusted Solaris Programming Interfaces A

The tables list in alphabetical order all the system calls, functions, and library routines in the Trusted Solaris 2.5 release that are new or are modiﬁed versions of Solaris 2.5.1 interfaces. Changes from Trusted Solaris 1.x interfaces are also listed.

System Calls Unique to Trusted Solaris Operating Systems page 72 Trusted Streams Functions page 74 Solaris 2.5.1 System Calls Enhanced for Security page 75 Removed Trusted Solaris 1.x System Calls page 80 Library Routines Unique to Trusted Solaris page 80 Solaris 2.5.1 Library Routines Enhanced for Security page 87 Removed Trusted Solaris 1.x Library Routines and Functions page 91

71 A

System Calls Unique to Trusted Solaris Operating Systems

The system calls listed in Table A-1 on page 72 were added to the Trusted Solaris environment in either the 1.x or 2.5 release. The column on the right indicates whether the system call is new to or has changed in the Trusted Solaris 2.5 release. Where there is no change the column is empty.

Note – The man page section of system calls has changed from 2T in the Trusted Solaris 1.x release to 2TSOL in the Trusted Solaris 2.5 release.

New – This system call is new in the Trusted Solaris 2.5 release.

Description – Changes from the Trusted Solaris 1.x system call.

Table A-1 Trusted Solaris-speciﬁc System Calls

Trusted Solaris System Calls Change from 1.x to 2.5, if any chstate(2TSOL) New fgetcmwfsrange(2TSOL) fgetcmwlabel(2TSOL)

fgetfattrflag(2TSOL) New fgetfpriv(2TSOL) New fgetfsattr(2TSOL) New fgetmldadorn(2TSOL) fgetsldname(2TSOL)

fsetcmwlabel(2TSOL) Constant parameter now in list and new structure. fsetfattrflag(2TSOL) New fsetfpriv(2TSOL) New data structure and new name in 2.5 getclearance(2TSOL) getcmwfsrange(2TSOL) getcmwlabel(2TSOL) getcmwplabel(2TSOL)

getfattrflag(2TSOL) New getfpriv(2TSOL) New data structure and new name in 2.5

72 Trusted Solaris 2.5 Transition Guide—July 1997 A

Table A-1 Trusted Solaris-speciﬁc System Calls

Trusted Solaris System Calls Change from 1.x to 2.5, if any getfsattr(2TSOL) New getmldadorn(2TSOL) getmsgqcmwlabel(2TSOL) getpattr(2TSOL) New getppriv(2TSOL) New data structure and new name in 2.5 getsemcmwlabel(2TSOL) getshmcmwlabel(2TSOL) getsldname(2TSOL) lgetcmwlabel(2TSOL) lsetcmwlabel(2TSOL) New mldgetfattrflag(2TSOL) New mldsetfattrflag(2TSOL) New mldstat(2TSOL) Constant parameter now in list. mldlstat(2TSOL) Constant parameter now in list. msggetl(2TSOL) msgrcvl(2TSOL) msgsndl(2TSOL) preadl(2TSOL) New readl(2TSOL) New readlink(2TSOL) New readv(2TSOL) New readvl(2TSOL) New secconf(2TSOL) New semgetl(2TSOL) semopl(2TSOL) New setclearance(2TSOL) setcmwlabel(2TSOL) Constant parameter now in list and new structure.

Trusted Solaris Programming Interfaces 73 A

Table A-1 Trusted Solaris-speciﬁc System Calls

Trusted Solaris System Calls Change from 1.x to 2.5, if any setcmwplabel(2TSOL) New structure for 2.5. setfattrflag(2TSOL) New setfpriv(2TSOL) New data structure and new name in 2.5 setpattr(2TSOL) New setppriv(2TSOL) New shmgetl(2TSOL)

writel(2TSOL) New writev(2TSOL) New writevl(2TSOL) New

Trusted Streams Functions

Table A-2 Trusted Streams Interfaces

Modiﬁed Solaris 2.5.1 Interfaces New Trusted Streams Interfaces linkb(9FTSOL) getpmsgattr(2TSOL) put(9FTSOL) putpmsgattr(2TSOL) putbq(9FTSOL) tsol_get_strattr(9FTSOL) putctl(9FTSOL) tsol_linkb(9FTSOL) putctl1(9FTSOL) tsol_putctl(9FTSOL) putnext(9FTSOL) tsol_putctl1(9FTSOL) putnextctl(9FTSOL) tsol_putnextctl(9FTSOL) putnextctl1(9FTSOL) tsol_putnextctl1(9FTSOL) putq(9FTSOL) tsol_set_strattr(9FTSOL) qreply(9FTSOL) tsol_relestrattr(9FTSOL)

74 Trusted Solaris 2.5 Transition Guide—July 1997 A

Solaris 2.5.1 System Calls Enhanced for Security

The Solaris 2.5.1 system calls listed in Table A-3 are enhanced for security policy. The original Trusted Solaris modiﬁcation release is indicated.

Table A-3 Modiﬁed Solaris 2.5.1 System Calls

Interface Release Modiﬁed access(2TSOL) 2.5 acl(2TSOL) 1.x adjtime(2TSOL) 2.5 audit(2TSOL) 2.5 auditctl(2TSOL) 1.x auditon(2TSOL) 2.5 auditsvc(2TSOL) 2.5 chdir(2TSOL) 2.5 chmod(2TSOL) 2.5 chown(2TSOL) 2.5 chroot(2TSOL) 2.5 close(2) 2.5 creat(2TSOL) 2.5 dup(2) 2.5 exec(2TSOL) 2.5 execl(2TSOL) 2.5 execle(2TSOL) 2.5 execlp(2TSOL) 2.5 execv(2TSOL) 2.5 execve(2TSOL) 2.5 execvp(2TSOL) 2.5 facl(2TSOL) 1.x fchdir(2TSOL) 2.5 fchmod(2TSOL) 2.5

Trusted Solaris Programming Interfaces 75 A

Table A-3 Modiﬁed Solaris 2.5.1 System Calls

Interface Release Modiﬁed fchown(2TSOL) 2.5 fchroot(2TSOL) 2.5 fcntl(2TSOL) 2.5 fork(2TSOL) 2.5 fork1(2TSOL) 2.5 fpathconf(2TSOL) 2.5 fstat(2TSOL) 2.5 fstatvfs(2TSOL) 2.5 getaudit(2TSOL) 1.x getauid(2TSOL) 2.5 getdents(2TSOL) 2.5 getgroups(2TSOL) 2.5 getmsg(2TSOL) 2.5 getpgrp(2TSOL) 2.5 getsid(2TSOL) 2.5 ioctl(2) 2.5 kill(2TSOL) 2.5 lchown(2TSOL) 2.5 link(2TSOL) 2.5 llseek(2TSOL) 2.5 lseek(2TSOL) 2.5 lstat(2TSOL) 2.5 memcntl(2TSOL) 2.5 mkdir(2TSOL) 2.5 mknod(2TSOL) 2.5 mmap(2TSOL) 2.5 mount(2TSOL) 2.5

76 Trusted Solaris 2.5 Transition Guide—July 1997 A

Table A-3 Modiﬁed Solaris 2.5.1 System Calls

Interface Release Modiﬁed mprotect(2TSOL) 2.5 msgctl(2TSOL) 2.5 msgget(2TSOL) 2.5 msggetl(2TSOL) 2.5 msgop(2TSOL) 2.5 msgrcv(2TSOL) 2.5 msgsnd(2TSOL) 2.5 msgsndl(2TSOL) 2.5 nfssvc(2TSOL) 2.5 nice(2TSOL) 2.5 owait(2TSOL) 2.5 owait3(2TSOL) 2.5 open(2TSOL) 2.5 pathconf(2TSOL) 2.5 pipe(2) 2.5 pread(2TSOL) 2.5 priocntl(2TSOL) 2.5 priocntlset(2TSOL) 2.5 processor_bind(2TSOL) 2.5 ptrace(2TSOL) 2.5 pwrite(2TSOL) 2.5 pwritel(2TSOL) 2.5 p_online(2TSOL) 2.5 read(2TSOL) 2.5 readvl(2TSOL) 2.5 reboot(2TSOL) 2.5 rename(2TSOL) 2.5

Trusted Solaris Programming Interfaces 77 A

Table A-3 Modiﬁed Solaris 2.5.1 System Calls

Interface Release Modiﬁed revoke(2TSOL) 1.x rmdir(2TSOL) 2.5 semctl(2TSOL) 2.5 seek(2TSOL) 2.5 semget(2TSOL) 2.5 semgetl(2TSOL) 2.5 semop(2TSOL) 2.5 semopl(2TSOL) 2.5 setaudit(2TSOL) 1.x setauid(2TSOL) 2.5 setegid(2TSOL) 2.5 seteuid(2TSOL) 2.5 setgid(2TSOL) 2.5 setgroups(2TSOL) 2.5 sethostname(2TSOL) 2.5 settimeofday(2TSOL) 2.5 setpriority(2TSOL) 2.5 setrlimit(2TSOL) 2.5 setuid(2TSOL) 2.5 setuseraudit(2TSOL) 1.x shmat(2TSOL) 2.5 shmctl(2TSOL) 2.5 shmdt(2TSOL) 2.5 shmget(2TSOL) 2.5 shmgetl(2TSOL) 2.5 sigsend(2TSOL) 2.5 sigsendset(2TSOL) 2.5

78 Trusted Solaris 2.5 Transition Guide—July 1997 A

Table A-3 Modiﬁed Solaris 2.5.1 System Calls

Interface Release Modiﬁed stat(2TSOL) 2.5 statvfs(2TSOL) 2.5 stime(2TSOL) 2.5 symlink(2TSOL) 2.5 sync(2) 2.5 sysfs(2) 2.5 sysinfo(2TSOL) 2.5 uadmin(2TSOL) 2.5 ulimit(2TSOL) 2.5 umask(2) 2.5 umount(2TSOL) 2.5 unlink(2TSOL) 2.5 utimes(2TSOL) 2.5 vfork(2TSOL) 2.5 vhangup(2) 2.5 write(2TSOL) 2.5

Trusted Solaris Programming Interfaces 79 A

Removed Trusted Solaris 1.x System Calls

The Trusted Solaris 1.x system calls listed in Table A-4 are not supported in the Trusted Solaris 2.5 release. A Trusted Solaris 2.5 replacement system call is listed if there is one.

Table A-4 System Calls Removed Between Trusted Solaris Releases

Programming Interface Trusted Solaris 2.5 Equivalent aclipc(2T) Removed. audituser(2T) Removed. getkernstate(2T) getaudit_x(2TSOL) setkernstate(2T) setaudit_x(2TSOL) getprocpriv(2T) getppriv(2TSOL) setprocpriv(2T) setppriv(2TSOL) getfilepriv(2T) getfpriv(2TSOL) setfilepriv(2T) setfpriv(2TSOL)

mkfso(2T) Removed. revoke(2T) Removed. secuname(2T) Removed.

Library Routines Unique to Trusted Solaris

The library routines listed in Table A-5 on page 81 were added to either the 1.x or 2.5 release. The column on the right indicates whether the library routine is new to or has changed as follows:

No change for 2.5 – This Trusted Solaris 1.x library routine is unchanged in the Trusted Solaris 2.5 release.

New in 2.5 – This Trusted Solaris 2.5 library routine is new.

80 Trusted Solaris 2.5 Transition Guide—July 1997 A

Parameter list change – This Trusted Solaris 1.x library routine is also in the Trusted Solaris 2.5 release, but there have been some changes to its parameter list.